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I.  Introduction 


With  the  increase  of  size,  interconnectivity,  and  number  of  points  of  access,  computer 
networks  have  become  vulnerable  to  various  forms  of  information  attacks,  especially  to  new, 
sophisticated  ones.  It  should  be  pointed  out  that  biological  organisms  are  also  complex  and 
interconnected  systems  that  have  many  points  of  access;  these  systems  are  vulnerable  to  sabotage 
by  alien  microorganisms  that,  based  on  the  attack  mechanisms  described  in  modem  immunology, 
could  be  viewed  as  information  attacks.  During  evolution,  biological  organisms  have  developed 
very  successful  immune  systems  for  detecting,  identifying,  and  destroying  most  alien  intmders. 
This  research  is  aimed  at  the  establishing  a  connection  between  the  basic  principles  that  govern 
the  immune  system  and  potential  uses  of  these  principles  in  the  implementation  of  information 
security  systems  (ISS)  for  computer  networks.  This  is  the  goal  of  the  proposed  Biological 
Approach  to  System  Information  Security  (BASIS)  that  is  presented  in  this  report. 

The  following  table  features  some  basic  similarities  between  biological  and  computer 
defense  systems.  However,  a  mutually  beneficial  cross-pollination  between  information  security 


Table  1-1.  Similarities  Between  Biological  and  Computer  Defense  Systems 


Biological  Systems 

Computer  Networks 

High  complexity,  high  connectivity, 
extensive  interaction  between 
components,  numerous  entry  points. 

High  complexity,  high  connectivity, 
extensive  interaction  between 
components,  numerous  entry  points. 

Vulnerability  to  intentionally  or 
unintentionally  introduced  alien 
microorganisms  that  can  quickly 
contaminate  the  system  resulting  in  its 
performance  degradation  and  collapse. 

Vulnerability  to  malicious  codes 
(including  computer  viruses)  that  being 
introduced  in  the  system  result  in 
unauthorized  access  to  information  and 
services  and/or  denial  of  service. 

Alien  microorganisms  as  well  as  cells  of 
a  biological  system  are  composed  of  the 
same  building  blocks  -  basic  amino  acids. 

Malicious  codes  as  well  as  the  operational 
software  of  a  computer  network  are 
composed  of  the  same  building  blocks  - 
basic  macro  commands. 

The  difference  between  alien 
microorganisms  and  the  healthy  cells  of  a 
biological  system  is  in  the  (gene) 
sequencing  of  their  building  blocks. 

The  difference  between  malicious  codes 
and  the  operational  software  of  a 
computer  network  is  in  the  sequencing  of 
their  building  blocks. 

Biological  immune  systems  are  capable 
of  detecting,  recognizing  and  neutralizing 
most  alien  microorganisms  in  a  biological 
system. 

Information  security  systems  should  be 
capable  of  detecting,  recognizing  and 
neutralizing  most  attacks  on  a  computer 
network. 

and  immunology  have  been  effectively  prevented  by  historically  different  methodologies: 
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-  biological  immunology  is  a  discipline  dominated  by  ehemistry,  with  unsophistieated 
mathematieal  apparatus  and  primarily  qualitative  approaeh,  addressing  intimidating  eomplexity 
of  the  living  tissue  (eannot  eontaet  the  designer) 

-  information  seeurity  is  dominated  by  mathematies  and  quantitative  approaeh,  it  deals 
with  relatively  simple  material  base  (always  ean  eontaet  the  designer  and  manufaeturer) 

Computer  immunology  [1],  [2],  [3]  is  a  very  new  direetion  in  eomputer  information 
seeurity  aimed  at  the  exploration  and  possible  utilization  of  various  aspeets  of  immunology  for 
the  development  of  novel  information  seeurity  systems.  The  BASIS  projeet  is  a  multi- 
diseiplinary  effort  faeilitating  an  exehange  of  methodologies,  eoneepts  and  philosophies  between 
two  diseiplines.  The  approaeh  proposed  in  this  researeh,  refleets  the  similarities  between  the 
eomputer  network  seeurity  problem  and  the  task  of  proteeting  a  biologieal  system  from  invading 
mieroorganisms.  Its  ultimate  goal  is  to  synthesize  an  ISS  of  a  eomputer  network  that  follows  the 
basie  prineiples  of  operation  of  the  biologieal  immune  system. 

In  order  to  be  dependable,  existing  ISS  must  be  able  to  prevent  partieular  kinds  of  threats 
and  suppress  most  speeifie  types  of  attaeks.  This  requires  an  enormous  amount  of  data 
proeessing  that  adversely  affeets  the  overall  network  performanee  and  throughput.  With  the 
eomplexity  of  modern  information  seeurity  systems,  an  ISS  must  eomprise  a  large  number  of 
independent,  largely  autonomous,  network-based,  speeialized  software  agents  operating  in  a 
eoordinated  and  eooperative  fashion  designated  to  prevent  partieular  kinds  of  threats  and 
suppressing  speeifie  types  of  attaeks.  This  is  the  only  realistie  approaeh  providing  the  required 
level  of  general  seeurity  of  information  aeeording  to  a  global  eriterion  without  burdening  the 
network  resourees.  It  eould  be  aehieved  only  by  adopting  the  most  advaneed  prineiples  of 
interaetion  between  partieular  agents.  The  utilization  of  biologieal  defensive  meehanisms 
developed  by  million-year  evolution  has  a  great  potential  for  the  assuranee  of  information 
seeurity  in  large-seale  eomputer  networks.  Immune  defense  meehanisms  have  distributed  eells 
(agents)  of  various  types  that  attaek  anything  suspeeted  to  be  alien.  Cells  interaet  by  sharing 
information  about  the  type  and  loeation  of  an  intruder,  utilize  the  feedbaek  prineiple  for  engaging 
only  “as  many  eells  as  neeessary,”  and  are  eapable  of  learning  about  intruders  that  results  in 
immunity  to  repeated  attaeks.  Researeh  in  immunology  has  established  various  meehanisms  of 
individual  behavior  of  eells  resulting  in  their  ability  to  deteet,  identify,  pursue  and  destroy  an 
alien  entity;  to  aeeumulate  knowledge  on  attaekers,  to  adopt  behavior  to  a  new  situation;  and  to 
determine  the  proper  response.  These  meehanisms,  developed  by  evolution,  are  highly  effieient 
and  sueeessful.  In  addition  to  individual  eell  operation,  immunology  presents  numerous 
examples  of  eolleetive,  almost  intelligent,  “unselfish”  behavior  of  various  types  of  defensive 
eells.  This  eolleetive  eell  behavior  allows  the  aehievement  of  high  effieieney  and  minimum 
response  time  of  the  immune  system,  as  well  as  maximum  utilization  of  its  limited  resourees. 

The  major  differenee  in  the  targets  between  the  immune  system  and  an  ISS  is:  the  immune 
system  treats  as  an  “enemy”  any  foreign  entity  within  the  organism,  while  an  ISS  must  reeognize 
and  treat  as  an  “enemy”  any  illegitimate  entry  or  software. 

A  biologieal  immune  system  of  an  advaneed  organism  already  has  been  eonsidered  as  a 
good  and  elear  example  of  a  modem  agent-based  ISS  [4],  [5].  The  immune  system  eonsists  of 
distributed  white  blood  eells,  whieh  attaek  anything  that  they  eonsider  alien.  By  having  as  many 
eells  as  neeessary,  the  animal  body  is  able  to  defend  itself  in  a  very  effieient  way.  If  the  animal 
body  is  infeeted  in  one  area,  then  eells  move  to  that  area  and  defend  it.  Modem  multi-agent 
system  teehnology  presents  a  valuable  approaeh  for  the  development  of  an  ISS  that  is  expeeted 
to  have  very  promising  advantages  when  implemented  in  a  distributed  large-seale  multi-purpose 
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information  system.  A  consideration  of  an  agent-based  model  of  an  ISS,  consistent  with  the 
BASIS  concept,  is  given  in  [6]. 

The  BASIS  project,  however,  does  not  pursue  the  development  of  an  artificial  immune 
system  that  at  the  present  level  of  technology  is  not  feasible  [7].  The  research  is  aimed  at  the 
selection  of  particular  information  security  problems,  common  in  computer  networks.  Then, 
based  on  the  expertise  in  the  operation  of  the  immune  system,  similar  situations  common  in  the 
immune  system  are  to  be  identified,  and  the  mechanisms  of  the  immune  response  will  be 
investigated.  The  description  of  the  appropriate  immune  response  is  obtained,  first  on  the 
qualitative  level,  and  then  the  mathematical  models  will  be  obtained.  Implemented  in  software, 
these  models  could  be  used  as  simulation  tesbeds  suitable  for  the  analysis  of  the  immune 
response  and  establishing  the  conditions  leading  to  particular  outcomes.  Finally,  an  attempt  will 
be  made  to  adopt  these  models  for  the  design  of  defense  mechanisms  intended  for  a  computer 
network. 

Our  ISS  approach  can  be  viewed  as  the  development  of  a  set  of  semi-autonomous 
distributed  agents  capable  of  detecting,  recognizing,  pursuing,  and  learning  about  the  attackers. 
Necessary  functions  of  the  ISS  agents  addressing  various  tasks  within  the  ISS  are  to  be 
established.  While  the  implementation  of  particular  ISS  agents  may  be  computationally 
intensive,  a  feasible  ISS  system  requires  a  high  degree  of  interaction,  coordination,  and 
cooperation  between  agents.  It  is  believed  that  these,  almost  intelligent,  interactions  constitute 
the  centerpiece  of  a  biological  defensive  mechanism  and  assure  its  high  efficiency.  Until 
recently,  quantitative  description  of  the  cooperative  behavior  of  semi-autonomous  agents 
presented  a  problem  that  could  not  be  solved  within  a  general  framework.  Such  a  framework  has 
been  provided  by  the  multi-agent  system  approach  that  can  be  utilized  as  a  mathematical 
apparatus  to  facilitate  the  formalization  of  the  complex  interaction  between  particular  agents  in 
the  fashion  that  is  observed  in  biological  immune  systems.  This  facilitates  the  development  of 
the  rules  and  procedures  of  the  interaction  between  ISS  agents  thus  leading  to  the  development 
of  a  feasible  ISS  reflecting  the  operation  of  an  immune  system.  The  feasibility  of  such  an  ISS 
could  be  assured  only  by  the  implementation  of  the  rules  of  agents’  collective  behavior  observed 
in  a  biological  immune  system  that  could  be  formalized  using  the  multi-agent  system  theory. 

A  number  of  mathematical  models  of  individual  behavior  of  defensive  cells  utilizing 
methods  of  statistics,  discrete  mathematics,  and  numerical  simulation,  have  been  successfully 
implemented.  However,  only  [8]  provides  a  comprehensive,  rigorous  mathematical  basis  for  the 
quantitative  description  of  the  operation  of  immune  cells.  The  attempts  to  develop  an  artificial 
immune  system  that  could  be  applied  for  such  a  practical  problem  as  information  security 
assurance  are  much  less  successful,  primarily  because  of  the  necessity  to  describe 
mathematically  cooperative  cell  behavior.  However,  modern  multi-agent  system  technology 
presents  the  most  plausible  approach  for  solving  this  problem  in  the  framework  of  the 
development  of  an  ISS.  The  resultant  ISS  would  operate  as  a  synthetic  immune  system  and  is 
expected  to  have  very  promising  advantages  when  implemented  in  a  distributed  large-scale 
multi-purpose  computer  information  network. 

We  propose  the  following  steps  to  achieve  ISS  by  means  of  biologically  inspired 
schemes: 

Analysis  and  Qualitative  Description  of  Immune  Systems.  An  analysis  of  the  recent 
biological  research  and  development  of  a  comprehensive  qualitative  description  of  the  operation 
of  a  biological  immune  system  are  needed  to  capture  the  behavior  immune  system  as  it  may 
relate  to  ISS-related  problems. 
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Algorithmic  Description  Immune  Cells.  The  next  step  is  to  develop  a  mathematieal/ 
algorithmie  deseription  of  the  individual  behavior  of  immune  eells  utilizing  already 
established  methods  and  models,  and  their  eooperative  operation  using  the  multi-agent  system 
theory. 

Software  Implementation  of  Models.  A  software  implementation  of  the  established 
mathematieal  models,  rules  and  algorithms  resulting  in  an  ISS  operating  as  an  artifieial 
immune  system  is  neeessary  to  test  and  eheek  these  models. 

Simulation  Environment.  A  simulation  environment  suitable  for  the  representation  of  a 
computer  network  with  a  resident  ISS  and  various  forms  of  threats  and  attacks  needs  be 
developed  to  prove  the  model. 

System  Analysis.  Simulations  need  to  be  analyzed  to  fine-tuning  of  the  resultant  ISS,  This 
analysis  should  include  assessment  of  its  impact  on  the  network  vulnerability. 

Particular  tasks  of  the  BASIS  project  addressed  during  the  performance  period  were; 

1.  Formulation  of  the  specific  features  of  the  denial  of  service  and  malicious  code-type 
attacks  on  the  computer  network.  Definition  of  their  biological  equivalents,  such  as  bacterial 
infection,  viral  infection,  food  poisoning,  etc. 

2.  Analysis  of  the  general  biological  defense  strategies  and  defensive  mechanisms  with 
the  emphasis  on  dynamics  of  major  developments,  particular  immune  responses/agents  involved, 
communication  between  agents  of  the  same  types,  communication  between  agents  of  different 
types,  communication  channels:  forms  and  formats,  cloning  and  repositioning  of  agents,  agent 
cooperation,  task  distribution,  resource  allocation. 

3.  Application  of  the  multi-agent  framework  for  the  description  of  the  system 
architecture,  functions  of  particular  agents,  coordination,  cooperation,  task  distribution,  and 
resource  allocation  tasks,  addressing  such  system/agent  properties  as  distributability,  multi¬ 
barrier  mechanism,  self-rule  (autonomous)  cells,  adaptability  and  memory.  The  particular  agent 
lists  includes  access  control  agents,  audit  and  intrusion  detection  agents,  anti-intrusion  agents, 
diagnostic  and  information  recovery  agents,  cryptographic  and  steganography  agents, 
authentication  agents,  meta-agents 

4.  Development  of  an  experimental  heterogeneous  computer  network  -  testbed  suitable 
for  the  simulation  analysis  of  attacks  and  ISS,  and  the  auxiliary  software 

While  the  BASIS  project  was  intended  as  a  three-year  effort,  this  report  reflects  only  the 
first  18  months  effort. 

Section  II  of  this  Report  provides  the  description  of  the  multidisciplinary,  international 
project  team  including  areas  of  specialization,  qualifications  and  affiliations  of  its  particular 
members.  This  team  has  been  established  at  several  international  conferences  in  the  area  of 
computer  information  security  centered  around  research  activities  sponsored  by  the  AFRL  at 
Rome  NY  and  the  European  Office  of  Aerospace  Research  and  Development  of  the  USAF 
operating  in  London,  UK. 

Section  III  of  the  Report  describes  major  types  of  the  attacks  on  a  computer  network, 
primarily  Denial  of  Service  (DoS)  attacks  and  attacks  by  the  deployment  of  malicious  codes, 
viruses,  worms  and  Trojan  Horses.  This  description  provides  the  justification  for  the  search  of 
novel  solutions  of  the  computer  network  security  problem.  It  also  is  important  for  making  an 
argument  on  the  similarity  between  biological  and  computer  attacks  and  attackers. 

Section  IV  of  the  Report  provides  a  comprehensive  description  of  the  operation  of  the 
immune  system  with  the  emphasis  on  the  particular  attackers,  specific  agents  of  the  immune 
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system,  their  individual  and  eollective  behavior,  eooperation,  task  distribution,  information 
exehange,  eonsistent  with  the  most  reeent  findings  of  immunology. 

Seetion  V  presents  further  diseussion  of  the  similarity  between  eomputer  and  biologieal 
attaeks,  attaekers,  and  defense  meehanisms.  Provided  “anatomies”  of  typieal  attaeks  show  the 
ways  to  establish  immune-like  information  security  systems.  An  attempt  is  made  to  describe  the 
dynamics  of  the  immune  response  leading  to  a  lethality,  full  recovery  or  chronic  disease  of  a 
biological  organism  and  to  utilize  the  same  equations  for  the  formulation  of  control  laws  that 
could  be  recommended  for  computer  networks. 

Section  VI  provides  mathematically  rigorous  approach,  utilizing  singular-value 
decomposition  as  the  underlying  computational  mechanism,  for  the  solution  of  a  typical 
computer  security  problem,  the  intrusion  detection.  Methods  of  immunocomputing  formulated  in 
[8]  are  employed  for  pattern  recognition,  supervised  and  unsupervised  learning,  and  the  analysis 
of  the  specifics  of  the  intrusion  with  the  potential  for  the  identification  of  the  intruder. 

Section  VII  describes  the  authors’  research  in  the  area  of  attack  detection  by  monitoring 
and  mining  of  the  data  traffic  in  computer  networks.  This  research  has  resulted  in  a  novel  data 
mining  approach  utilizing  statistical  clustering,  genetic  optimization,  and  Bayesian  estimation. 
Unlike  existing  results  in  this  area,  it  provides  explicit  attack  probabilities  and  could  be 
recommended  as  a  decision  support  tool  for  a  network  operator. 

Section  VIII  describes  the  experimental  computer  network  testbed  that  has  been 
developed  under  the  BASIS  project.  It  is  suitable  for  the  deployment  of  various  types  of 
computer  attacks,  including  attacks  by  malicious  codes,  and  conventional  and  novel  information 
security  systems.  Equipped  with  data  traffic  monitoring  and  computer  forensics  systems  it 
facilitates  research  in  the  computer  network  security  area  and  could  be  recommended  as  an 
independent  testing  site  for  any  newly  developed  computer  defense  system. 

Section  IX  of  the  Report  provides  the  directions  for  the  further  research  in  the  BASIS 
area  and  provides  a  brief  description  of  the  “Search  of  the  gene  of  self-replication”  project  that 
could  be  viewed  as  a  direct  spin-off  the  BASIS. 
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II.  Formation  of  the  Comprehensive  BASIS  Team 

The  BASIS  requires  a  multidiseiplinary  effort;  the  diseiplines  ineluded  are;  advaneed 
eontrol  theory,  mathematics,  computer  science,  computer  engineering,  biology,  information 
warfare,  and  computer  programming.  Therefore,  one  of  the  first  goals  of  this  project  was  the 
formation  of  a  comprehensive,  international  BASIS  team. 


Oi^anization  of  the  BASIS  Team 


Figure  2-1:  Organization  of  the  BASIS  Team 

The  above  chart  illustrates  organization  of  the  BASIS  team.  It  could  be  seen  that  this 
multidisciplinary  approach  is  based  on  the  expertise  in 

-  Immunology,  provided  by  Dennis  McGee,  Ph.D.,  associate  professor  of  the  biology 
department  at  Binghamton  University  and  Alexander  Polevschikov,  Sc.D.,  Professor,  Senior 
Research  Fellow  at  the  Institute  of  Experimental  Medicine  of  St.  Petersburg  Section  of  the 
Russian  Academy  of  Sciences 

-  Computer  immunology,  provided  hy  Alexander  Tarakanov,  Sc.D.,  Professor,  Senior 
Research  Fellow  at  the  Institute  of  Information  and  Control  of  the  St.  Petersburg  Section  of  the 
Russian  Academy  of  Sciences  and  Dipankar  Dasgupta,  Ph.D.,  Director,  Intelligent  Systems  & 
Security  Research  Laboratory,  Associate  Professor  of  Computer  Engineering  at  the  University  of 
Memphis,  TN 
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-  Computer  Engineering,  provided  by  Douglas  Summerville,  Ph.D.,  Assistant  Professor 
of  the  Department  of  Eleetrieal  and  Computer  Engineering  at  Binghamton  Einiversity  and^fnn 
Miller,  Ph.D.,  Distinguished  Professor  of  Computer  Engineering,  University  of  Missouri-Rolla 

-  Multi-Agent  system  theory,  provided  by  Vladimir  Gorodetski,  Se.D.,  Professor,  Chief 
Seientist  of  the  Institute  of  Information  and  Control  of  the  St.  Petersburg  Seetion  of  the  Russian 
Aeademy  of  Seienees  and  Michal  Pechoucek,  Ph.D.,  Head  of  the  Agent  Teehnology  Group, 
Assistant  Professor  of  Artifieial  Intelligenee  at  the  Czeeh  Teehnieal  University  of  Prague 

-  Computer  network  expertise,  provided  by  James  Moronski,  Chief  Engineer  at  the 
Endieott  Researeh  Group,  and  eomputer  network  eonsultant 

-  Modeling  of  Biological  phenomena,  provided  by  Svedana  Sokolova,  Se.D.,  Senior 
Researeh  Eellow  at  the  Institute  of  Experimental  Medieine  of  St.  Petersburg  Seetion  of  the 
Russian  Aeademy  of  Seienees 

-  Genetic  Algorithms,  provided  by  Harold  Lewis,  Ph.D.,  Assoeiate  Professor  of  the 
System  Seience  and  Industrial  Engineering  Department  and  the  Direetor  of  the  Center  for 
Intelligent  Systems  at  Binghamton  University 

-  Advanced  Controls,  Applied  Statistics,  Mathematical  Modeling  and  Simulation, 

provided  by  Victor  Skormin,  Ph.D.,  Principal  Investigator,  Professor,  Electrical  and  Computer 
Engineering,  Binghamton  University 

In  addition,  Joseph  Giordano  and  Dr.  Leonard  Popyack  of  the  Air  Eorce  Research 
Eaboratory  at  Rome  NY  have  helped  the  BASIS  team  to  concentrate  their  efforts  on  major 
information  security  problems  thus  addressing  the  Air  Eorce  interests  in  their  research. 
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III.  Attacks  on  Computer  Networks 


The  problem  of  information  seeurity  is  reeognized  as  one  of  the  most  eomplex  and  its 
importanee  is  growing  coherently  with  increasing  network  connectivity,  size,  and 
implementation  of  new  information  technologies.  Today,  information  has  become  a  highly 
valuable  commodity  and  its  vulnerability  is  of  great  concern  within  any  large-scale  organization 
utilizing  computer  networks.  Networks  and  information  are  becoming  increasingly  vulnerable  to 
intrusion  due  to  new  sophisticated  direct  and  remote  threats  and  attacks.  According  to  a  widely 
accepted  point  of  view  intrusion  is  defined  as  "any  set  of  actions  that  attempt  to  compromise  the 
integrity,  confidentiality  or  availability  of  a  resource"  [1].  According  to  this  definition,  there 
exist  three  main  types  of  threats  for  information  security  [2,  3,  4,  5,  8,  9,  10]: 

(1)  threat  of  unauthorized  access  to  information; 

(2)  threat  of  destroying  information  integrity,  and 

(3)  threat  of  denial  of  service  making  crucial  resource  and/or  information  unavailable. 

Denial  of  Service  (DoS)  attacks 

Denial  of  Service  (DoS)  attacks  making  crucial  network  resource  and/or  information 
unavailable,  are  among  the  most  common  attack  types.  DoS  attacks  are  both  effective  and  easy 
to  deploy.  DoS  attacks  threaten  all  systems  connected  to  the  Internet,  including  servers,  clients, 
routers,  and  firewalls.  In  a  DoS  attack  scenario,  the  attacker  sends  malicious  traffic  to  the  target 
with  the  aim  of  crashing,  crippling,  or  jamming  communication  between  the  target  system  and 
legitimate  users. 

Fundamentally,  there  are  three  DoS  attack  scenarios,  all  of  which  effectively  disable  the 
target  and  prevent  its  legitimate  use.  In  the  first  scenario,  the  attacker  exploits  bugs  in  network 
software  implementations,  crashing  or  disabling  the  target’s  communication  processing 
capabilities.  The  second  attack  type  is  aimed  at  weaknesses  in  network  protocols,  aiming  to 
overload  the  system’s  communication  resources,  which  disconnects  the  target  from  the  outside 
world.  The  third  type  of  attack  exploits  the  limited  network  bandwidth  to  the  target,  inundating  it 
with  enormous  volumes  of  traffic. 

Clearly,  all  three  forms  of  attack  have  the  common  result  of  preventing  legitimate  use  of 
the  target  system.  Although  patchwork  solutions  have  been  developed  for  many  of  the  DoS 
attacks  currently  identified,  new  attacks  are  continually  being  developed.  The  purpose  of 
connecting  computer  systems  to  a  network  is  to  provide  access  for  their  legitimate  use.  Although 
network  protocols  can  be  made  more  secure,  any  mechanism  that  allows  outside  access  to  a 
system  can  be  exploited  and  makes  that  system  vulnerable  to  attack.  Thus,  protecting  networked 
systems  requires  accepting  the  dynamic,  uncontrollable,  and  potentially  hostile  environment  in 
which  they  exist  and  developing  protection  mechanisms  that  can  cope  with  this  environment. 

Current  computer  security  systems  provide  some  degree  of  protection  of  information 
attacks  and  enhance  the  decision-making  ability  of  the  network  administrator.  These  functions 
are  performed  by  a  number  of  independent  system  components  requiring  an  enormous  amount  of 
distributed  and  specialized  knowledge,  and  consequently,  computations.  As  a  rule,  these  systems 
represent  a  bottleneck  with  regard  to  throughput,  speed,  reliability  and  flexibility  of  a  network 

Information  Attacks  by  the  Deployment  of  Malicious  Codes 

A  large  number  of  information  attacks  are  perpetrated  by  the  development  and 
dissemination  of  various  types  of  malicious  codes  such  as  Trojan  horses,  worms,  and  viruses. 


These  attaeks  result  to  the  violation  of  the  eonfidentiality,  integrity,  availability  of  the 
information  and,  potentially,  eomplete  loss  of  administrative  eontrol  of  the  host  operation.  The 
main  stages  of  sueh  an  attaek  inelude  implantation  of  a  malieious  program  into  the  remote 
system,  exeeution  of  the  program,  information  exehange  between  malieious  program  and  some 
outside  servers  resulting  in  the  spread  of  the  attack,  gaining  control  of  the  attacked  host  and 
potentially,  the  entire  network.  The  particular  sequence  of  such  stages  depends  on  type  of  the 
attack. 

The  following  are  subsets  of  this  class  of  attacks: 

1.  Implantation  of  a  malicious  executable  file  (program)  into  remote  computer  systems. 
These  attacks  include  implantation  and  consequent  execution  of  a  malicious  program  in  the 
target  system.  In  addition  to  rendering  the  attacked  computer  useless,  malicious  programs  have  a 
built-in  self-replication  function  resulting  in  the  potential  dissemination  of  this  program  over  the 
entire  community  of  users  and  the  entire  network.  Such  a  malicious  program  could  be  activated 
from  a  remote  terminal  or  by  the  initiation  of  legitimate  software  that  is  installed  on  the  target 
computer. 

2.  Implantation  of  a  malicious  script  or  program  text  into  remote  computer  systems. 

This  type  of  attacks  has  only  one  feature  that  makes  it  different  from  the  above  described:  it 
requires  that  some  auxiliary  software,  such  as  a  script  interpreter  or  a  translator  for  a  particular 
programming  language,  be  installed  on  the  target  computer. 

The  malicious  codes  include: 

1.  Trojan  horses. 

A  Trojan  horse  is  a  program  disguised  as  a  legitimate  piece  of  software.  Unlike  “bugs”, 
undocumented  components  introduced  by  the  developers  in  the  legitimate  software  without 
malicious  intentions,  an  intruder  has  to  make  a  special  effort  to  introduce  a  Trojan  horse  in  the 
target  system  through  the  use  of  e-mail  or  in  some  other  way.  Very  often,  a  Trojan  horse 
program  can  self-replicate,  which  makes  it  similar  to  a  computer  virus.  Trojan  horses  operate 
differently  from  viruses,  typically  facilitating  violation  of  confidentiality  (“stealing”  passwords) 
and  providing  unauthorized  access  to  a  computer  system  (Back  Orifice). 

2.  Computer  viruses. 

Computer  virus  is  a  label  for  several  groups  of  malicious  programs  intended  to  violate  system 
integrity  and/or  cause  denial  of  service.  Their  main  common  feature  is  self-replication.  The 
family  of  viruses  includes:  boot-viruses,  file  viruses,  common  macro-viruses,  viruses  on  script 
languages,  and  worms. 

2a)  Boot-viruses . 

Boot-viruses  is  one  of  the  most  dangerous  types  of  viruses  for  computers  utilizing 
Windows  NT/2000  or  Unix.  They  gain  control  over  the  computer  before  the  operating  system 
starts  and  work  in  real  mode.  As  a  result,  they  can  damage  not  only  data  and  software,  but  also 
the  hardware. 

2b)  File  viruses. 

This  type  of  virus  infects  executable  files  or  shared  libraries.  When  DOS  was  the  most 
popular  operating  system  for  computers  with  IBM  PC  AT  architecture,  file  viruses  were  the  most 
common  type  of  viruses,  moving  to  the  second  place  after  macro  viruses  due  to  advancements  in 
software. 

2c)  Macro  viruses  and  viruses  on  script  languages. 

This  type  of  virus  is  now  the  most  prevalent  due  to  the  fact  that  many  programs  utilize 
their  own  system  tools  in  the  form  of  script  language  interpreters.  The  majority  of  script 
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languages  is  rather  powerful  and  ean  be  used  for  malieious  purposes.  Different  dialects  of 
BASIC  (such  as  VBA  or  VBScript),  responsible  for  the  success  of  Microsoft  software,  are 
commonly  used  as  carriers  of  macro  viruses.  The  appearance  of  the  vims  LOGO  in  the  spring  of 
2001  provides  evidence  that  practically  every  language  could  be  used  for  malicious  programs. 

3.  Computer  worms . 

This  type  of  vims  has  been  known  for  more  than  ten  years.  The  first  well-known  Internet 
worm  was  written  by  Robert  Morris  in  1988.  But  the  greatest  epidemics  took  place  recently: 
"Melissa"  in  spring  of  1999  and  "Love  Letter"  in  spring  of  2000.  The  main  characteristic  of 
worms  is  that  they  self-replicate  and  disseminate  their  copies  via  computer  networks.  For 
example,  Melissa  and  Love  Letter  used  e-mail  for  that  purpose.  Internet  worms  can  spread  using 
both  executable  files  and  scripts.  Some  worms  consist  from  several  parts:  programs,  data,  and 
scripts. 

4.  Malicious  scripts  placed  into  html pages. 

While  these  attacks  are  not  different  from  malicious  script  languages  and  macro  vimses, 
the  Internet  browsers  provide  users  with  an  additional  defense  mechanism  against  harmful  scripts 
in  html-pages.  However,  the  latest  browsers  are  rather  big  and  complicated  programs  that  can 
(and  do)  contain  some  bugs  that  could  be  exploited  by  intmders. 

5.  Malicious  JAVA  applets. 

There  are  only  few  attacks  of  this  class,  due  to  a  quite  reliable  security  concept  of  JAVA 
known  as  a  "sandbox".  Known  cases  of  using  JAVA  applets  for  intmsion  indicate  that  these 
applets  have  used  mistakes  in  particular  realizations  of  the  JAVA  machine  or  the  users  were 
careless  by  utilizing  low  security  level  in  their  browsers  for  all  Internet  sites.  For  example,  some 
JAVA  viruses  can  be  “contracted”  only  when  security  level  in  browsers  is  switched  to  minimum. 
The  potential  problem  is  that  the  security  level  in  most  browsers  is  zone-dependent  and  if 
malicious  JAVA-code  gets  into  a  trusted  zone  it  will  have  a  chance  to  be  executed  and  spread 
throughout  the  zone. 

6.  Malicious  Active-X components  (also  COM/DCOM/COM+/.Net  and  -CORBA). 

In  this  type  of  attack  a  user  downloads  from  the  Internet  an  executable  code,  disregards  its  digital 
signature  and  the  certificates  proving  the  validity  of  that  signature,  and  mns  this  code  without  a 
“sandbox”.  In  some  cases,  the  use  of  fraudulent  certificates  takes  place. 

In  addition,  some  known  attacks  may  combine  several  of  the  above  subsets. 

Analysis  of  the  attacks  with  the  use  of  malicious  codes  indicates  that  the  objective  of  the 
attack  cannot  be  achieved  to  its  fullest  without  the  dissemination  of  the  malicious  code  over  the 
entire  community  of  users,  hosts,  and  potentially  the  entire  network.  The  attackers  skillfully 
utilize  the  target  computer,  before  rendering  it  useless,  for  expanding  the  attack  onto  as  many  as 
possible  computers  at  the  early  stages  of  the  “information  terrorism”,  utilizing  portable  media 
(diskettes,  ZIP  disks,  CD)  and  now,  the  power  of  the  Internet. 

It  is  well  known  that  any  legitimate  software  developer  invests  significant  efforts  toward 
protecting  his  product  from  unauthorized  use.  Legitimate  businesses  may  be  interested  in  free 
dissemination  of  their  advertisement  in  the  electronic  format,  but  being  bounded  by  the  rules  of 
legitimacy,  are  very  cautious  about  the  means  of  achieving  this  goal.  The  only  type  of  software 
developers  whose  software  is  intended  to  automatically  spread  over  as  many  computers  as 
possible  without  the  users’  consent  are  the  perpetrators  of  information  attacks.  Unlimited  spread 
of  malicious  codes  in  the  process  of  an  information  attack  is  achieved  by  the  introduction  of  a 
special  self-replication  facility  in  the  code,  in  addition  to  its  main  malicious  functions. 
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IV.  Mechanisms  of  the  Immune  Response 


The  immune  system,  like  eomputer  network  systems,  is  extremely  eomplex.  It  eomprises 
a  massive  whole  body  response  meehanism  involving  multiple  eell  types  and  speeialized  tissues. 
For  the  purpose  of  feasibility,  the  immune  system  needs  to  be  represented/modeled  in  its  basie 
eomponents  and  then  one  eould  eonsider  the  interaetion  of  these  eomponents  resulting  in  a 
eomplete  body  response  to  three  generalized  foreign  agents:  a  toxin,  a  baeteria,  and  a  virus.  The 
toxin  represents  a  foreign  agent  presented  to  the  system  in  large  amounts  (e.g.  injected  or 
swallowed)  or  produced  in  large  amounts  by  an  infectious  agent  that  causes  harm  to  the  host 
system.  In  a  computer  network  environment,  effects  of  a  toxin  could  be  paralleled  with  an  illegal 
entry  that  results  in  the  destruction  of  significant  amounts  of  resident  data.  The  bacteria  would  be 
an  agent  which  can  replicate  itself  independent  of  the  host  and  which  causes  harm  to  the  host 
system.  A  corresponding  attack  on  a  computer  network  would  comprise  an  illegal  entry 
facilitating  future  illegal  utilization  of  the  network  facilities  including  the  ability  to  manipulate 
confidential  information.  Finally,  the  virus  would  represent  an  agent  which  replicates  itself 
through  the  host  system  and  which  then  would  cause  harm  to  the  host.  Unsurprisingly,  growing 
and  replicating  itself  using  the  host  facilities  at  the  expense  of  resident  software,  is  exactly  what 
a  computer  virus  does  rendering  the  network  useless. 

The  players  in  the  immune  response 

Antigens  may  be  composed  of  several  types  of  compounds  (protein,  sugars,  lipids,  etc.), 
however  protein  antigens  are  the  type  that  induces  the  most  vigorous  response.  Proteins  are 
comprised  of  chains  of  simpler  compounds  called  amino  acids.  Since  there  are  20  different 
amino  acids,  the  combinations  of  the  amino  acids  can  yield  an  incredible  number  of  possible 
distinctly  different  proteins. 

The  antibodies  are  proteins  themselves  that,  by  the  nature  of  their  amino  acids  at  the 
binding  sites,  can  bind  strongly  to  specific  short  sequences  of  amino  acids.  These  specific  amino 
acid  sequences  may  then  appear  within  the  longer  sequence  of  a  certain  protein  and  therefore  the 
antibody  can  “recognize”  the  protein  via  this  shorter  sequence  and  then  bind.  One  important 
property  of  this  antigen-antibody  recognition  system  is  that  it  is  extremely  specific.  However, 
antibodies  may  also  bind,  with  lesser  strength,  to  amino  acid  sequences  that  are  almost  identical 
to  the  recognized  sequence  allowing  for  “cross-reactivity”  of  the  antibodies.  This  could  allow 
the  antibodies  to  recognize  a  slight  variation  of  the  original  infectious  agent  and  therefore  confer 
some  immunity.  Y et  the  more  different  the  sequence  is  from  the  recognized  sequence,  the 
greater  the  chance  for  non-recognition.  Another  important  consideration  of  this  system  is  that  in 
general,  a  specific  antibody  must  exist  for  essentially  all  of  the  antigens  that  one  could  possibly 
encounter.  Still,  the  immune  system  has  the  capacity  to  randomly  generate  more  than  lO'^ 
different  antigen-binding  antibodies. 

The  antibody  proteins  are  produced  by  the  B  cells.  These  cells  randomly  generate  the 
capacity  to  produce  an  antibody  with  a  single  antigen  recognition  site  such  that  one  B  cell 
produces  an  antibody  that  recognizes  only  one  antigen  (to  have  a  cell  which  produces  several 
antibodies  which  recognize  different  antigens  would  be  a  regulation  nightmare!).  This  B  cell 
then  produces  the  antibody  only  as  a  cell  surface  receptor  and  remains  in  a  resting  state,  waiting 
to  encounter  the  specific  antigen.  When  the  antigen  is  encountered,  it  binds  to  the  antibody  on 
the  B  cell  surface  and  stimulates  the  B  cell  to  awake  and  get  ready  to  function.  However,  in 
most  instances,  the  B  cell  cannot  begin  to  undergo  cell  division  (to  amplify  the  number  of 
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antigen  specific  cells  and  therefore  amplify  the  response)  or  begin  secreting  antibodies  until  it 
obtains  a  second  signal  from  a  Helper  T  lymphocyte  (Th  cell).  This  prevents  the  B  cell  from 
producing  potentially  harmful  antibodies  without  a  confirmation  that  the  response  is  needed. 
Once  the  B  cell  is  activated,  it  then  begins  to  differentiate  into  either  a  Plasma  Cell,  which 
produces  large  amounts  of  antibodies  and  then  dies,  or  a  Memory  Cell  which  eventually  reverts 
back  to  a  resting  state  and  waits  for  a  second  encounter  with  the  antigen.  These  Memory  Cells 
are  the  basis  of  the  greatly  elevated  and  rapid  memory  response  to  the  same  antigen,  as  there  are 
now  greater  numbers  of  these  cells  present  which  now  have  a  less  stringent  requirement  for 
activation. 

As  mentioned  above,  the  B  cell  requires  a  second  signal  from  a  Th  cell  in  order  to 
continue  its  activation  sequence.  This  Th  cell  is  also  an  antigen  specific  cell  with  a  specialized 
receptor,  called  the  T  cell  receptor,  for  a  very  specific  antigen  amino  acid  sequence.  The  T  cell 
receptor  is  similar  to  the  antibody  molecule,  yet  it  is  limited  in  its  ability  to  recognize  and 
antigen.  During  development  of  the  Th  cell  (indeed  all  T  cells  including  the  CTLs  and  Tdth 
described  below),  the  cells  pass  through  a  specialized  tissue,  the  thymus,  in  which  cells  with  T 
cell  receptors  that  recognize  self-antigens  are  killed.  This  eliminates  the  majority  of  the  self 
reactive  cells  and  does  an  excellent  job  of  preventing  autoimmune  responses.  Also  in  the 
thymus,  only  the  T  cells  with  T  cell  receptors  which  can  recognize  antigen  segments  which  are 
“presented”  to  them  by  accessory  cells  with  specialized  cell  surface  antigen-presentation 
receptors,  the  Major  Histocompatability  Complex  class  II  receptors  (MHC  II),  are  allowed  to 
survive.  Indeed,  it  has  been  estimated  that  greater  than  90%  of  the  T  cells  in  the  thymus  never 
survive  these  stringent  regulatory  requirements  to  leave  the  thymus. 

Once  a  Th  cell  leaves  the  thymus,  it  is  fully  capable  of  functioning,  yet,  like  the  B  cell,  it 
too  is  in  a  resting  state.  The  T  cell  receptors  of  these  Th  cells  cannot  recognize  antigens  alone  so 
they  cannot  be  activated  directly  by  antigen.  In  the  case  of  the  humoral  immune  response,  the  B 
cell  binds  the  antigen  via  its  cell  surface  antibody  that  gives  the  B  cell  its  first  activation  signal. 
This  antibody  bound  antigen  is  then  taken  internally  by  the  B  cell  and  “processed”  into  short 
amino  acid  segments  that  are  then  “loaded”  onto  the  MHC  II  receptors.  The  B  cell  then  places 
these  MHC  receptors  loaded  with  antigen  segments  on  its  surface  and  is  now  ready  to  interact 
with  a  Th  cell.  This  interaction  then  consists  of  the  B  cell  “presenting”  the  antigen  to  the  Th  cell 
to  activate  the  Th  cell.  This  presentation  of  the  antigen-MHC  II  to  the  Th  cell  an  activation 
signal  for  the  Th  cell  to  begin  cell  division  (amplification  of  the  response)  and  to  differentiate 
into  a  mature  helper  T  cell  capable  of  helping  the  B  cell.  The  mature,  activated  Th  cell  then 
produces  signals  (via  cell  surface  receptors  or  small  secreted  factors)  that  tell  the  B  cell  to 
continue  on  its  activation  sequence  to  cell  division  and  antibody  secretion. 

Of  interest,  this  B  cell-Th  cell  interaction  presents  another  site  for  amplification  of  the 
immune  response.  One  B  cell  can  “process”  a  large  antigen  into  several  small  different  segments 
that  could  be  used  to  activate  several  Th  cells  with  different  antigen  specificities.  This  would 
increase  the  probability  that  the  B  cell  would  get  a  second  signal  from  a  Th  cell  even  if  the  Th 
cell  did  not  recognize  the  exact  same  segment  of  the  antigen  amino  acid  sequence  that  the  B  cell 
recognized.  Also,  a  single  activated  Th  cell  could  then  interact  with  several  B  cells  to  allow  the 
production  of  several  different  types  of  antibodies  (one  specific  type  from  each  different  B  cell). 
However,  only  those  B  cells  which  have  encountered  the  antigen  for  the  first  activation  step 
would  be  sensitive  to  the  Th  cell  help.  The  overall  response  would  be  a  more  complete 
activation  of  several  B  cells  and  T  cells  with  different  antigen  specificities  -  essentially 
responding  to  several  different  segments  of  a  single  antigen. 
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Before  eontinuing,  another  important  group  of  eells  must  be  eonsidered.  These  are  the 
aeeessory  eells  that  are  not  antigen  specifie  but  play  a  very  important  role  in  the  immune 
response.  The  aeeessory  eells  eonsist  mainly  of  maerophages  and  dendritie  eells  whieh  function 
to  engulf  or  phagocytize  cells,  bacteria,  viruses,  or  even  cellular  debris  and  proteins.  These 
engulfed  cells  or  substances  are  then  enzymatically  destroyed  and  “processed”  much  like  the  B 
cell  processes  antigens  bound  to  their  cell  surface  antibody  receptors  to  yield  short  segments  of 
amino  acids.  As  in  the  B  cells,  these  antigen  segments  are  also  loaded  onto  MHC  II  receptors  for 
the  accessory  cells  to  “present”  to  any  nearby  Th  cells.  Indeed,  the  initial  activation  of  most  Th 
cells  usually  occurs  via  the  presentation  of  foreign  antigens  by  these  accessory  cells.  This 
system  then  allows  for  the  constant  sampling  of  the  body’s  environment  via  macrophage 
phagocytosis  (for  bacteria,  viruses,  and  etc.)  or  dendritic  cells  (for  cell  debris  and  individual 
proteins).  Therefore,  antigen  sampling  (and  hence  Th  cell  activation)  is  not  limited  to  antigen 
specific  B  cells  only,  but  also  certain  non-specific  accessory  cells. 

In  the  cell-mediated  immune  response,  one  of  the  most  potent  killer  cells  is  the  CTL,  a  T 
cell  with  a  T  cell  receptor  that  recognizes  foreign  antigens  present  inside  of  an  infected  cell.  Like 
the  B  cell,  this  CTL  is  normally  in  a  resting  state  and  needs  two  independent  signals  for 
activation.  The  first  signal  comes  when  the  resting  CTL  encounters  an  infected  cell.  Almost  all 
cells  of  the  body  have  an  internal  system  that  constantly  destroys  old  proteins  as  new  ones  are 
produced  by  the  cell.  The  destruction  of  old  proteins  results  in  the  production  of  short  amino 
acid  segments  which  may  then  be  loaded  onto  a  different  type  of  MHC  receptor  called  the  MHC 
class  I  receptor  (MHC  I)  which  is  then  placed  on  the  surface  of  the  cell.  Therefore,  most  cells  of 
the  body  constantly  display  a  variety  of  “self’  amino  acid  segments  in  conjunction  with  the 
MHC  I  receptor  on  the  surface  of  the  cell.  However,  when  a  cell  becomes  infected  with  a  virus, 
the  virus  uses  the  cells  machinery  to  replicate  itself  Yet  this  replication  of  the  virus  inside  of  the 
cell  allows  the  cell’s  internal  system  to  sample  some  of  the  virus  proteins  by  destroying  them  and 
placing  the  short  virus  amino  acid  segments  onto  the  MHC  I  receptors  (again,  random  sampling 
as  with  the  accessory  cells  above).  Subsequently,  when  the  viral  antigen  loaded  MHC  I 
receptors  are  on  the  surface  of  the  cell,  the  cell  is  now  labeled  as  an  infected  cell  even  though  the 
immune  system  cannot  directly  get  at  the  virus  inside  of  the  cell. 

Once  a  CTL  comes  in  contact  with  a  virus  infected  cell,  if  its  T  cell  receptor  can 
recognize  the  virus  segment,  then  the  CTL  obtains  its  first  activation  signal.  However,  the  CTL 
cannot  be  completely  activated  until  it  receives  help  from  a  Th  cell  which  has  also  been 
activated.  The  activated  Th  cell  (usually  activated  by  antigens  from  the  same  virus  as  presented 
by  accessory  cells)  then  produces  a  T  cell  growth  factor  (interleukin-2)  necessary  for  the  CTL  to 
begin  cell  division  (once  again,  an  amplification  step)  and  mature  into  a  functional  CTL.  As 
with  the  B  cells,  memory  CTLs  are  also  produced  to  produce  a  memory  response  in  subsequent 
encounters  with  the  virus.  When  the  mature  CTL  encounters  the  virus  infected  cell  again  (via 
the  T  cell  receptor  binding  to  the  virus  antigen  segment  and  the  MHC  I  receptor),  the  CTL  kills 
the  virus  infected  cell.  Of  importance,  the  mature  CTL  can  kill  many  virus  infected  cells  over  its 
life  span. 

The  final  player  in  the  cell-mediated  immune  response  is  the  Tdth  cell.  Once  again,  this 
T  cell  has  an  antigen  specific  T  cell  receptor  and  must  have  the  antigen  presented  by  an 
accessory  cell  along  with  MHC  IT  They  are  essentially  helper  T  cells  that  have  their  first 
encounter  with  the  antigen  in  the  lymph  nodes.  They  then  undergo  cell  division  (amplification  of 
the  response)  and  maturation  to  competent  Tdth  cells.  These  cells  then  leave  the  lymph  nodes 
and  actively  seek  out  the  areas  of  infection  (see  below  how  they  are  recruited  into  areas  of 


13 


infection).  They  migrate  into  the  area  where  they  receive  the  second  encounter  with  the  antigen 
(presented  by  resident  macrophages  actively  phagocytizing  the  bacteria  or  viruses  or  dendritic 
cells  sampling  the  infection  debris)  and  then  produce  large  amounts  of  inflammation  inducing 
factors  or  cytokines  which  activate  the  phagocytic  macrophages,  neutrophils  and  other  cells  in 
the  area. 

The  interaction  of  the  immune  system  components  against  toxins 

In  the  case  of  a  toxin,  the  best  defense  is  the  antibody  molecule.  A  toxin  by  itself  usually 
can  cause  harm  to  the  cells  of  the  body  and  therefore  must  be  neutralized.  This  is  usually 
effectively  done  by  the  binding  of  the  antibody  molecule  (usually  by  blocking  the  toxin  from 
entering  into  a  cell  or  blocking  the  toxin  function).  Therefore,  the  major  players  in  the  anti-toxin 
response  would  be  the  B  cell  that  produces  an  antibody  to  neutralize  the  toxin  and  the  Th  cell 
that  provides  help  for  the  B  cells.  However,  macrophages  can  also  have  a  role  in  these  responses 
by  providing  another  cell  type  to  present  the  toxin  antigens  to  Th  cells.  Macrophages  also  have 
receptors  on  their  cell  surface  that  can  bind  to  antibodies  that  have  bound  to  an  antigen  (these 
receptors  often  do  not  bind  well  to  antibody  which  has  not  bound  to  an  antigen).  This  then 
provides  a  way  for  the  macrophage  to  attach  to  the  antigen  and  engulf  or  phagocytize  the  toxin  to 
remove  it  from  the  body.  Finally,  some  toxins  may  also  activate  macrophages  and  induce  them 
to  secrete  soluble  factors  that  can  enhance  B  cell  division,  antibody  production,  and  Th  cell 
responses.  On  the  second  encounter  with  the  toxin,  the  body  already  has  antibody  present  to 
neutralize  the  toxin  and  the  greater  number  of  antigen  specific  B  cells  and  Th  cells  (memory 
cells)  are  rapidly  activated  to  produce  extremely  high  levels  of  anti-toxin  antibody  (which  is  the 
basis  of  the  booster  shots  in  vaccines). 

The  interaction  of  the  immune  system  components  against  bacteria 

For  a  bacteria  not  sequestered  inside  of  a  cell,  the  first  line  of  defense  is  the  innate 
immune  response:  the  inflammatory  response  and  macrophage  phagocytosis  of  the  bacteria. 

The  purpose  of  this  innate  immune  response  is  to  hold  the  infection  at  bay  until  the  immune 
response  can  be  activated.  Macrophages  which  have  phagocytized  bacteria  or  dendritic  cells 
which  have  picked  up  bacterial  debris  begin  to  present  bacterial  antigen  segments  with  MHC  II. 
These  cells  travel  to  nearby  lymph  nodes  where  they  then  can  present  the  antigens  to  the  Th  cells 
to  begin  their  activation.  Meanwhile,  bacterial  debris  or  even  whole  bacteria  present  in  the 
lymph  (the  fluid  surrounding  the  cells  of  the  body)  are  carried  via  the  lymphatic  system  to  the 
lymph  nodes.  This  allows  for  B  cells  in  the  lymph  nodes  to  become  stimulated  and  even  resident 
macrophages  in  the  lymph  nodes  to  pick  up  antigen  for  presentation  to  Th  cells.  The  activated 
Th  cells  then  interact  with  the  activated  B  cells  and  eventually  the  B  cells  begin  to  produce 
massive  levels  of  antibody.  This  antibody  then  gets  into  the  blood  circulatory  system  and  is 
carried  to  the  infection  site  where  it  can  have  a  number  of  effects.  Antibody  binding  directly  to 
bacteria  can  allow  macrophages  and  neutrophils  to  attach  to  the  antibody  to  enhance 
phagocytosis  and  killing  of  the  bacteria.  Antibody  bound  to  the  bacteria  can  also  activate  the 
inflammatory  system  that  eventually  results  in  the  activation  of  macrophages  to  become  better 
bacteria  killers  and  to  cause  the  release  of  signals  which  recruit  more  macrophages,  neutrophils, 
and  even  T  cells  from  the  blood  to  the  site  of  infection. 

In  some  instances,  Tdth  cells  in  the  lymph  nodes  may  also  be  activated  by  the  accessory 
cells  bringing  in  antigen.  These  Tdth  cells  then  leave  the  lymph  nodes  to  seek  out  the  area  of 
infection.  Once  in  the  infection  area,  the  macrophages  present  more  antigens  to  the  Tdth  cells  to 
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induce  them  to  release  several  powerful  inflammation  indueing  factors.  These  inelude  factors 
that  recruit  more  maerophages  and  neutrophils  from  the  blood  into  the  area,  factors  that  activate 
the  neutrophils  and  maerophages  to  beeome  master  killers  of  mierobes  (this  in  addition  to  the 
virus-speeifie  antibody  greatly  enhanees  the  maerophage  funetion),  faetors  that  provide  help  for 
other  Th  and  Tdth  cells  in  the  area,  and  they  ean  help  B  eell  to  enhanee  antibody  produetion.  The 
end  result  of  these  responses  is  a  massive  influx  and  activation  of  killer  maerophages  and 
neutrophils  whieh  phagoeytize  the  baeteria,  the  influx  of  antibodies  whieh  neutralize  the  baeteria 
and  enhanee  their  phagoeytosis,  and  the  aetivation  of  the  inflammatory  response.  The  invading 
bacteria  are  usually  destroyed,  however  host  tissue  damage  may  oeeur  in  eases  of  massive 
infection.  Of  note,  often  the  induction  of  the  immune  and  inflammatory  response  results  in  the 
seeretion  of  high  levels  of  aetivation  faetors  by  the  maerophages  and  T  eells.  As  the  levels  of 
these  aetivation  faetors  inerease,  they  often  induee  the  produetion  of  inflammation  suppressing 
faetors  by  the  immune  eells  and  resident  eells  of  the  tissues.  This,  along  with  the  reduction  in  the 
levels  of  antigens  or  baeteria  for  stimulation,  allows  for  the  down-regulation  of  the  response  and 
the  beginning  of  wound  healing. 

The  interaction  of  the  immune  system  components  against  viruses 

Viruses  present  an  interesting  ehallenge  to  the  immune  response  in  that  these  agents  have 
an  intraeellular  phase,  in  whieh  they  are  not  available  to  many  of  the  immune  response  elements, 
and  often  an  extraeellular  phase  when  the  virus  is  shed  from  an  infeeted  eell  to  spread  to  and 
infeet  nearby  eells.  Most  of  the  above  immune  mechanisms  (antibodies  and  TDin-maerophage 
responses)  ean  effectively  handle  the  extraeellular  phase  of  the  virus.  Antibodies  bind  to  the 
extraeellular  viruses  and  prevent  their  binding  to  or  entering  other  eells,  enhanee  their  destruetion 
by  allowing  maerophages  a  handle  to  bind  to  the  bound  antibody  and  induee  phagoeytosis,  and 
bound  antibody  ean  induee  the  inflammatory  response.  Tdth  type  helper  T  eells  ean  migrate  to 
the  site  of  infeetion  and  direct  the  aetivation  of  maerophages  to  beeome  master  killers  with  a 
greater  phagoeytie  eapaeity,  produee  faetors  or  cytokines  whieh  reeruit  other  T  eells, 
maerophages,  and  neutrophils  into  the  area  of  infeetion,  help  the  activation  and  maturation  of 
CTLs  (see  below),  and,  sinee  the  Tdth  cells  are  speeialized  Th  eells,  they  ean  help  B  eells  to 
enhanee  antibody  production.  In  addition,  the  Tdth  cells  ean  seerete  a  very  potent  faetor, 
interferon,  whieh  induees  all  nearby  eells  to  turn  on  their  own  internal  antiviral  defense 
meehanisms  to  prevent  viral  replieation  and  help  in  preventing  the  spread  of  the  infeetion. 

Y et  the  above  meehanisms  generally  have  no  effect  on  the  viruses  hidden  within  infected 
eells.  The  result  is  that  the  infection  continues  beeause  the  souree  (the  virus  infected  eell)  has 
not  been  destroyed  and  in  some  eases  the  infeetion  ean  spread  via  direet  eell-to-eell  transfer  of 
the  virus  without  an  extraeellular  phase.  The  destruetion  of  the  virus  infeeted  eells  requires  the 
aetion  of  the  antigen  speeifie  CTLs.  CTLs  activated  at  the  site  of  the  virus  infection  can  receive 
immediate  help  from  the  Tdth  type  Th  eells  in  the  area  to  beeome  mature,  active  CTLs  to  kill  the 
virus  infeeted  eells.  This  also  releases  any  internal  viruses  to  be  exposed  to  antibody  and 
maerophages  for  destruetion.  Finally,  CTLs  also  ean  produee  interferon  whieh  induees  more 
nearby  cells  to  turn  on  their  internal  antiviral  meehanisms. 

The  overall  effeet  is  that  the  virus  spread  and  souree  of  infection  is  stopped.  Of  eourse 
large  numbers  of  memory  B  eells,  Tdth  type  Th  eells,  and  CTLs  are  also  produeed  so  that  in 
subsequent  eneounters  with  the  same  virus,  the  speeifie  immune  response  is  very  rapid  and  mueh 
stronger;  henee,  immunity. 
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Whole  body  responses  to  infections 

In  addition  to  the  above  deseribed  immune  responses  to  infeetious  agents,  several  other 
meehanisms  are  indueed  whieh  can  help  in  preventing  the  spread  of  the  infectious  agents  to 
different  parts  of  the  body. 

One  of  the  most  striking  features  of  the  immune  system  is  that  the  immune  response  cells 
are  not  centralized,  but  are  spread  out  in  strategically  placed  lymph  nodes  throughout  the  body. 
The  fluids  collected  from  around  the  cells  in  only  a  defined  section  of  the  body  pass  through  any 
single  lymph  node  (e.g.  the  lymph  nodes  of  the  groin  area  filter  fluids  from  various  sections  of 
the  legs).  These  lymph  nodes  provide  a  staging  area  for  the  interactions  that  are  required  for  the 
immune  response  to  occur,  interactions  that  could  not  occur  in  the  rapidly  flowing  blood  or  most 
normal  tissues  where  the  immune  cell  numbers  would  be  too  low.  To  ensure  that  the  antigens  of 
the  infectious  agents  get  to  the  lymph  nodes  (often  well  before  the  antigens  or  viruses  and 
bacteria  actually  reach  the  lymph  node  on  their  own),  the  macrophages  and  dendritic  cells  at  the 
infection  site  specifically  migrate  to  the  local  nodes  carrying  samples  of  any  infection  in  the 
tissues.  This  way,  the  immune  system  does  not  have  to  initially  seek  out  the  infection  -  it  is 
brought  to  the  immune  system.  The  lymph  nodes  also  provide  a  filter  where  lymph  node 
macrophages  remove  many  of  the  bacteria  and  viruses  from  the  fluids  to  prevent  the  spread  of 
the  infection.  Indeed,  several  lymph  nodes  may  be  strung  in  succession  to  ensure  the  filtering  of 
infectious  agents.  Therefore,  the  immune  response  is  localized  and  direct  for  a  specific  area  of 
the  body. 

However,  the  results  of  the  localized  lymph  node  immune  response  are  disseminated 
throughout  the  body.  Antibodies  and  infection-seeking  activated  Tdth  cells  and  CTLs  quickly 
reach  the  blood  circulatory  system  and  are  spread  throughout  the  body  to  prevent  the  spread  of 
the  infection.  As  mentioned  above,  these  cells  are  actively  recruited  to  the  areas  of  infection  by 
the  factors  produced  as  a  result  of  the  inflammatory  response  and  activated  immune  cells.  After 
the  close  of  the  immune  response,  the  memory  B  and  T  cells  continue  to  migrate  throughout  the 
body,  spending  varying  amounts  of  time  in  each  lymph  node  on  the  way.  This  insures  that  the 
memory  cells  will  then  be  (or  soon  will  be)  at  the  appropriate  lymph  node  to  respond  to  a  second 
encounter  with  the  antigen  wherever  it  may  occur. 
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V.  BASIS:  Immune  and  Computer  Defenses 


As  computer  networks  beeome  inereasingly  vulnerable  to  cyber  terrorism,  an  attempt  to 
develop  a  proaetive  defense  meehanism  inevitably  steers  designers  towards  already  existing, 
naturally  evolved,  biologieal  defense  meehanisms.  Biologieal  immune  systems  are  adaptable, 
self-regulating,  automatie  natural  defense  meehanisms  that  work  to  proteet  vertebrates  from 
disease.  Using  the  immune  system  as  a  model,  a  system  to  protect  computers  and  computer 
networking  systems  from  information  attaeks  ean  be  ereated.  In  order  to  build  this  model,  it  is 
first  necessary  to  understand  the  similarities  between  a  biologieal  system  and  a  computer 
networking  system.  In  addition  to  analyzing  immune  systems,  attack  mechanisms  will  also  be 
investigated.  Here,  the  Denial  of  Service  (DoS)  attaek  will  be  studied. 

The  Components  of  a  Biological  Immune  System 

The  immune  system’s  function  can  be  broken  up  into  two  functional  units,  innate 
immunity  and  aequired  immunity.  Innate  immunity,  also  referred  to  as  non-speeific  immunity, 
forms  the  basie  resistanee  to  infection  that  is  possessed  by  any  given  species.  It  is  comprised  of 
many  different  types  of  barriers  that  are  the  first  line  of  defense  whieh  proteet  the  body  from 
infection.  These  are  the  anatomie  barrier,  physiologic  barrier,  endocytie  and  phagoeytic  barriers, 
and  the  inflammatory  response.  Aequired  immunity,  additionally  known  as  speeific  immunity,  is 
the  aetive  portion  of  the  immune  system  that  is  eapable  of  reeognizing  and  eliminating  antigens. 
Acquired  immunity  is  a  mueh  more  complex  system  than  innate  immunity  and  is  eomposed  of 
speeialized  eells  responsible  for  the  deteetion  and  destruetion  of  pathogens. 

The  anatomie  barrier  is  eomprised  of  the  skin  and  other  epithelial  surfaces  (stomaeh, 
intestine,  respiratory,  urinary  tracts  and  others).  These  are  the  interfaces  between  the  body  and 
the  outside  world  and  work  to  effeetively  stop  antigens  before  they  are  able  to  enter  the  body  and 
start  infeetion  or  cause  damage.  While  the  anatomie  barrier  partieipates  in  the  immune  system,  it 
generally  must  be  told  what  to  do.  Problems  sueh  as  breaks  in  the  epithelium,  microbial 
infection,  and  damage  to  the  tissues  are  deteeted  and  initiate  the  inflammatory  response,  the 
body’s  first  line  of  defense  against  infection  that  includes  the  aetivation  of  phagoeytie  eells. 

Physiologie  barriers,  working  with  the  anatomic  barrier  further  deerease  the  risk  of 
infection.  Temperature  and  pH  are  examples  of  physiologie  barriers.  When  a  pathogen  comes  in 
contaet  with,  or  passes  by,  the  skin  or  epithelial  surface,  the  environment  that  is  present  can  slow 
or  potentially  prevent  its  growth  and  spread.  Physiologie  barriers  provide  some  explanation  as  to 
why  different  animals  are  naturally  immune  to  certain  diseases.  For  example,  chiekens  are 
naturally  immune  to  anthrax  beeause  their  high  body  temperature  prevents  growth  and  infeetion. 

A  more  complex  innate  immune  behavior  is  found  in  the  endoeytic  and  phagoeytic 
barrier.  Here,  extracellular  materials  are  ingested  through  endocytosis  or  phagoeytosis.  Ingestion 
oceurs  as  eertain  cells  internalize,  by  folding  their  cell  walls  around,  the  extraeellular  material 
forming  endocytie  vesicles.  Upon  internalization,  these  vesicles  are  routed  to  endosomes  where 
the  proeess  of  dissociation  of  the  extracellular  material  begins.  This  proeess  is  assisted  by  the 
inflammatory  response. 

The  inflammatory  response  is  characterized  by  an  inerease  in  the  diameter  of  the  blood 
vessels  (vasodilatation),  inereased  capillary  dilation  and  an  increase  of  the  presence  of 
phagoeytic  cells.  Inflammation  oeeurs  as  a  result  of  a  complex  interaetion  with  a  variety  of 
chemieal  mediators.  Vasodilatation  and  inereased  eapillary  dilation  allow  for  white  blood  eells. 
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which  are  composed  mostly  of  phagocytic  cells,  to  migrate  to  the  affected  area.  In  addition, 
inflammation  serves  to  contain  any  potential  infection  to  a  localized  area. 

When  antigens  breech  the  innate  defense  systems,  acquired  immunity  is  the  next  system 
involved  in  elimination  of  specific  foreign  microorganisms  and  molecules.  The  acquired  immune 
system  displays  specificity,  memory,  diversity,  and  self/non-self  recognition  [1].  Acquired 
immunity  however  does  not  act  independently  from  the  innate  system,  but  in  concert  with  it. 
Innate  responses  trigger  responses  from  the  acquired  immune  system.  For  example,  soluble 
proteins  released  during  the  inflammatory  response  attract  cells  of  the  acquired  immune  system. 

The  acquired  immune  system  is  composed  of  two  groups  of  cells  called  lymphocytes  and 
antigen-presenting  cells.  Lymphocytes  are  one  of  many  types  of  white  blood  cells  that  are 
produced  in  the  bone  marrow  and  circulate  in  the  blood  and  lymph  system.  Lymphocytes  are 
responsible  for  the  specificity,  memory,  diversity,  and  self/non-self  recognition  found  in  the 
immune  system.  B-lymphocytes  and  T-lymphocytes  comprise  the  majority  of  the  lymphocytes. 

B-lymphocytes,  upon  maturity,  leave  the  bone  marrow  with  a  unique  antigen-bonding 
receptor,  which  is  an  antibody,  on  their  membrane.  When  the  B-lymphocyte  first  encounters  an 
antigen  that  matches  its  receptor,  it  begins  to  divide  rapidly.  Both  memory  B  cells  and  effector 
cells  called  plasma  cells  are  created.  The  memory  B  cells  that  are  created  retain  the  antigen¬ 
bonding  receptor  on  their  membranes  and  function  as  B-lymphocytes.  The  plasma  cells  do  not 
form  an  antigen-bonding  receptor.  Instead,  the  antibody  is  secreted  and  acts  as  an  effector 
molecule. 

T-lymphocytes,  unlike  B-lymphocytes,  mature  in  the  thymus  gland.  Like  B  cells,  T  cells 
have  an  antigen-binding  receptor  on  their  membrane.  Unlike  the  B  cells,  the  T  cell  receptor 
cannot  bind  with  an  antigen  unless  the  antigen  is  also  associated  with  cell  membrane  proteins 
known  as  major  histocompatibility  complex  (MHC)  molecules.  When  a  T  cell  comes  in  contact 
with  an  antigen  associated  with  an  MHC  molecule,  it  begins  to  divide  forming  other  effector  T 
cells. 

The  lymph  nodes  are  the  home  of  many  of  the  immune  cells  of  the  body.  T  cells  act  as 
the  directors  of  the  immune  system.  B  cells  produce  antibodies,  which  bind  to  foreign  antigens, 
and  cytotoxic  T  cells  kill  virus  infected  cells.  Amongst  the  immune  cells  are  the  antigen 
presenting  cells  (macrophages  and  dendritic  cells)  which  sample  antigen  throughout  the  body, 
process  them,  transport  them  to  the  lymph  nodes  and  present  the  processed  antigen  to  the  T  cells. 
The  sampling  of  antigen  is  continuous,  including  the  sampling  of  self,  for  which  there  are  no  T 
cells  to  bind  with,  thus  preventing  a  self-attack. 

The  Components  of  Computer  Networking  Systems 

Computer  systems  and  networks  of  computer  systems  already  posses  many  of  the 
characteristics  of  the  immune  system.  In  computer  systems,  anatomic  barriers  exist  in  the  form  of 
simple  usemame/password  security,  connection  encryption  and  process/user  privileges.  Extended 
to  computer  networks,  hubs,  switches,  gateways  and  routers  in  their  basic  form  provide  effective 
barriers  against  many  types  of  potential  attacks.  Furthermore,  these  systems  can  provide  added 
security  when  an  attack  is  underway  by  blocking  or  shunting  potentially  harmful  network  traffic 
away  from  sensitive  systems  or  networks.  The  diversity  of  computer  systems  and  networks  also 
form  another  barrier  to  attack.  Security  holes  and  exploits  usually  affect  specific  operating 
systems  on  specific  hardware  platforms. 

Antivirus  and  intrusion  detection  packages  are  created  to  further  protect  systems  from  infection 
and  damage.  One  could  almost  consider  this  the  “active”  part  of  the  computer’s  or  computer 
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network’s  immune  system,  but,  in  reality,  these  are  nothing  more  than  “dumb”  barriers  that  are 
sometimes  updated,  usually  after  infeetion,  after  damage  has  already  been  done.  Furthermore,  no 
one  tool  has  been  developed  to  solve  the  problems  with  computer  systems  infection  as  infections 
can  occur  across  platform,  with  different  operating  systems  and  different  network 
implementations. 

The  Denial  of  Service  (DoS)  Attack 

The  Denial  of  Service  (DoS)  attack  is  the  most  threatening  type  of  attack  that  can  be 
launched  against  a  computer  or  network  of  computers.  The  DoS  attack  endangers  all  computers 
systems  connected  to  the  Internet,  including  servers,  clients  (workstations),  routers,  and 
firewalls.  In  a  DoS  attack  scenario,  the  attacker  sends  malicious  traffic  to  the  target  with  the  aim 
of  crashing,  crippling,  or  jamming  communication  between  the  target  system  and  legitimate 
users,  effectively  “killing”  the  computer  system  or  the  services  that  it  offers. 

Fundamentally,  there  are  three  DoS  attack  scenarios,  all  of  which  effectively  disable  the 
target  and  prevent  its  legitimate  use.  In  the  first  scenario,  the  attacker  exploits  bugs  in  network 
software  implementations,  crashing  or  disabling  the  target’s  communication  processing 
capabilities.  The  second  attack  type  is  aimed  at  weaknesses  in  network  protocols,  aiming  to 
overload  the  system’s  communication  resources,  which  virtually  disconnects  the  target  from  the 
outside  world.  The  third  type  of  attack  exploits  the  limited  network  bandwidth  to  the  target, 
inundating  it  with  enormous  volumes  of  traffic. 

Clearly,  all  three  forms  of  attack  have  the  common  result  of  preventing  legitimate  use  of 
the  target  system.  Although  patchwork  solutions  have  been  developed  for  many  of  the  DoS 
attacks  currently  identified,  new  attacks  are  continually  being  developed.  The  purpose  of 
connecting  computer  systems  to  a  network  is  to  provide  access  for  their  legitimate  use.  Although 
network  protocols  can  be  made  more  secure,  any  mechanism  that  allows  outside  access  to  a 
system  can  be  exploited  and  makes  that  system  vulnerable  to  attack.  Thus,  protecting  networked 
systems  requires  accepting  the  dynamic,  uncontrollable,  and  potentially  hostile  environment  in 
which  they  exist  and  developing  protection  mechanisms  that  can  cope  with  this  environment. 

The  three  primary  DoS  attack  scenarios  have  common  characteristics  as  well  as 
differences  in  their  implementation  and  execution.  The  main  characteristic  shared  by  all  DoS 
attacks  is  the  basic  aim  of  preventing  normal  access  to  the  system  under  attack.  The  main 
differences  lie  in  the  degree  of  infiltration  of  the  system  under  attack  and  the  duration  and 
severity  of  the  damage  inflicted. 

DoS  attacks  that  exploit  bugs  or  weaknesses  in  network  software  implementations  are 
designed  to  cripple  the  target  by  crashing  or  modifying  the  networking  software  or  the  operating 
system  itself.  Generally,  the  attack  can  be  launched  from  a  single  computer  by  sending 
malformed  packets  or  sequences  of  packets  to  the  target.  This  scenario  has  the  highest  level  of 
infiltration;  malicious  network  traffic  enters  the  target  system  and  cripples  it.  The  damage 
inflicted  on  the  target  is  severe  and  persists  until  the  affected  software  is  re-installed.  Since  these 
attacks  are  due  not  to  weaknesses  in  the  network  protocols  but  their  implementations,  they  are 
easily  fixed  once  the  bug  is  identified  and  the  proper  software  patch  applied.  However,  the 
complexity  of  network  software  implementations  often  makes  it  impossible  to  test  for  and 
eliminate  all  bugs,  making  them  vulnerable  to  future  attacks. 

The  second  form  of  DoS  attacks  directly  target  weaknesses  in  the  high-level  network 
protocols.  The  objective  of  these  attacks  is  not  to  crash  the  target  but  to  cripple  it  by  overloading 
a  bottleneck  resource.  In  this  scenario,  the  attack  is  aimed  at  the  entry  points  to  the  system  and 
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represents  a  medium  level  of  infiltration.  No  damage  is  inflicted  on  the  system  software  (it  is 
functioning  normally).  In  addition,  access  to  the  target  computer  may  not  be  completely  blocked 
off  by  the  attack  and  usually  resumes  shortly  after  the  attack  ceases.  The  most  prevalent  example 
of  this  type  of  attack  is  the  SYN  Flood  or  TCP  SYN  Attack.  Like  software  implementation  bug 
attacks,  mechanisms  can  be  put  into  place  to  prevent  attacks  against  network  protocols  once  a 
specific  attack  scenario  is  identified.  However,  these  protocols  are  complex  and  likely  to  have 
further  vulnerabilities. 

The  first  two  forms  of  DoS  attacks,  those  against  network  protocols  and  their 
implementations,  can  be  launched  from  a  single  source.  The  third  class  of  DoS  attacks 
represents  coordinated  efforts  launched  against  a  target  from  multiple,  distributed  sites.  These 
attacks  can  be  particularly  troublesome  as  they  may  invade  the  target  network  from  different 
points  of  entry,  allowing  an  increase  in  the  volume  of  malicious  traffic  that  can  reach  the  target. 
The  goal  of  this  form  of  attack  is  to  jam  the  communication  pathways  to  the  target  without 
disabling  the  processing  on  the  target  system  itself.  In  this  scenario,  the  attacker  doesn’t 
infiltrate  the  target  system,  but  effectively  jams  the  access  paths  to  it.  Access  to  the  target  is  not 
completely  prevented  during  the  attack  (although  it  is  severely  limited)  and  access  resumes 
quickly  after  the  attack  ceases.  This  specific  class  of  attacks,  known  as  Distributed  Denial  of 
Service  (DDoS)  attacks,  rely  on  recruiting  a  number  of  zombie  computers  that  are  subjugated  by 
a  master  to  assault  the  target  from  a  number  of  locations.  Defending  against  a  DDoS  attack 
requires  a  coordinated,  distributed  defense. 

Anatomy  of  a  DoS  TCP  SYN  Flood  (TCP  SYN)  attack 

TCP  (transmission  control  protocol)  is  one  of  the  more  common  protocols  used  by 
machines  to  communicate  across  networks  and  is  defined  in[RFC  793].  TCP  provides  a  reliable 
ordered  connection  for  the  exchange  of  data.  In  order  to  establish  a  connection,  some 
configuration  data  needs  to  be  transferred  between  client  and  server.  This  is  done  using  a  three- 
way  handshake. 

The  client  first  informs  the  server  of  its  beginning  sequence  number.  This  is  done  with 
the  SYN  bit  set  in  the  TCP  header;  later  referred  to  as  the  SYN  packet.  The  server  receives  the 
SYN  packet,  “half-opens”  the  connection  and  acknowledges  the  received  SYN  while  also 
sending  its  beginning  sequence  number,  this  is  known  as  the  SYN-ACK  packet.  At  this  point,  the 
server  is  in  the  SYN-RECEIVED  state.  When  the  client  receives  the  SYN-ACK,  it  responds  to 
the  server  with  an  ACK  to  acknowledge  the  server’s  beginning  sequence  number.  After 
reception  of  the  final  ACK  by  the  server,  the  connection  is  fully  established.  Eor  every  unique 
SYN  packet  (the  host  address,  port,  and  sequence  numbers  are  the  same),  the  server  creates  a 
half-open  connection  and  responds  with  a  SYN-ACK. 

Another  important  feature  is  that  the  network  is  considered  inherently  “unreliable”  hence 
network  conditions  may  cause  the  loss  of  the  SYN,  SYN-ACK  or  ACK  packet.  If  the  client  does 
not  receive  the  SYN-ACK  within  a  reasonable  time,  it  will  continue  to  retransmit  the  original 
SYN  request  until  a  connection  timeout  is  reached.  If  the  server  does  not  receive  an  ACK  to  the 
transmitted  SYN-ACK,  it  will  continue  to  retransmit  the  SYN-ACK  until  an  ACK  is  received  or 
until  some  predetermined  SYN-ACK  timeout  is  reached  upon  which  the  connection  will  be 
closed  and  previously  allocated  resources  will  be  released. 

A  malicious  client  takes  advantage  of  the  fact  that  when  the  server  side  of  the  connection 
is  in  the  SYN-RECEIVED  state,  the  server  has  allocated  network  resources  for  the  “half-open” 
connection.  When  the  client  sends  the  initial  SYN  packet,  it  usually  “spoofs”  the  client’s  address. 
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This  is  done  for  two  reasons.  First,  the  aetual  elient  launching  the  attack  is  disguised  by  the 
spoofed  address.  Second,  when  multiple  SYN  requests  are  sent  out  with  different  source 
addresses,  the  attack  will  look  as  though  multiple  hosts  are  requesting  connections.  Once  the 
server’s  available  networking  resources  are  consumed,  the  server  becomes  effectively  shut  off 
from  the  world. 

Since  only  one  client  is  required  to  launch  a  multi-pronged  assault  on  a  target  server,  the 
SYN  Flood  attack  is  one  of  the  easiest  attacks  to  implement.  The  bandwidth  requirements  for  an 
attack  of  this  nature  are  relatively  small.  This  allows  for  devastating  attacks  to  be  launched  from 
bandwidth-limited  connections.  Tools  to  launch  an  attack  are  readily  available  to  a  wide  variety 
of  attackers,  from  “script  kiddies”  to  professionals.  Even  though  this  type  of  assault  is  well 
known,  the  protocol  cannot  be  changed  to  prevent  an  attack  without  breaking  millions  of  client 
implementations.  Furthermore,  it  takes  only  a  small  step  to  convert  a  single  machine  assault  to  a 
distributed  and  coordinated  assault  on  an  entire  network. 

Once  the  target  system  or  network  is  under  attack  it  is  very  hard  to  stop  the  assault.  If  the 
assault  is  determined  to  be  from  an  application  with  a  hard-coded  set  of  target  addresses,  then  the 
fix  is  relatively  easy:  a  simple  change  of  the  host  address  of  the  targeted  system  and  updating  the 
DNS  (domain  name  service)  records  for  the  target  will  do  the  job.  However,  if  the  attack 
includes  either  resolving  the  new  location  of  the  target  or  moving  from  source  machine  to  source 
machine,  the  level  of  work  required  to  stop  the  assault  grows  enormously. 

Until  the  flow  of  invalid  SYN  packets  is  stopped  at  the  source,  the  network  must  have 
some  level  of  filtering  implemented.  Since  these  SYN  packets  look  like  legitimate  traffic,  the 
source  address  would  have  to  be  verified  for  each  connection  request.  There  are  many  types  of 
routers  and  bridges  that  can  assist  in  performing  this  action,  but  network  throughput  drops  when 
each  and  every  request  needs  to  be  verified.  Furthermore,  many  man-hours  are  wasted  with 
network  administrators  working  towards  blocking  all  of  the  offending  source  addresses  and 
networks. 

While  the  packet  filtering  operations  are  being  put  into  place,  the  next  step  would  be  to 
find  the  actual  source  of  the  attack.  This  process  could  take  days  or  weeks.  With  the  large  levels 
of  administration  and  bureaucracy  between  the  attacker  and  the  target,  the  source  may  never  be 
found  or  stopped.  In  fact,  the  attacker  may  not  be  in  the  same  political  jurisdiction  as  the  target. 
The  attacker  can  also  halt  the  attack  as  an  attempt  to  prevent  detection,  only  to  restart  it  at  a  later 
time. 


Anatomy  of  a  Relevant  Biological  Attack 

Infectious  agents  can  enter  a  body  in  many  ways.  The  consumption  of  food,  air,  and 
water  required  for  life  also  constitute  sources  of  infectious  agents.  Tissue  damage,  such  as 
scrapes  and  cuts,  provides  additional  paths  for  possible  infection.  The  anatomic  barriers  prevent 
most  sources  of  infection  by  making  the  environment  inhospitable  for  infectious  agents  or  just 
preventing  their  entry  into  the  body.  However,  when  an  antigen  makes  is  past  these  anatomic 
barriers,  the  active  parts  of  the  immune  system  work  in  concert  with  the  anatomic  barriers  to  first 
detect,  then  fight  off  infection. 

The  variety  of  agents  includes  bacteria,  viruses,  and  foreign  proteins.  The  human  body 
presents  a  hospitable  environment  for  the  development,  adaptation  and  consequent  proliferation 
of  the  antigens.  In  return  for  this  hospitality,  bacteria  can  multiply  at  an  alarming  rate,  releasing 
toxins  and  competing  with  nutrients  in  the  host.  For  example,  the  Anthrax  bacterium,  (B. 
anthracis),  is  contracted  by  the  host  through  inhalation,  ingestion,  or  direct  contact  with 
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contaminated  material.  Anthrax  releases  a  series  of  proteins  whieh  kill  the  host’s  own  eells  in  the 
infeeted  area.  Untreated,  Anthrax  ean  potentially  kill  the  host. 

One  of  the  first  responses  of  the  immune  system  is  the  inflammation  response. 
Inflammation  oeeurs  as  a  result  of  a  release  of  ehemieal  moderators  from  damaged  eells.  The 
eellular  damage  ean  be  from  trauma,  temperature,  eontaet  with  foreign  substanees  and  a  host  of 
other  reasons.  With  the  presenee  of  the  ehemieal  moderators  the  loeal  blood  vessels  dilate 
(vasodilatation).  When  this  oeeurs,  liquid  fills  in  the  affeeted  region  and  it  swells.  This  works  to 
prevent  eontaminants  from  spreading  beyond  the  affeeted  region,  in  effeet,  isolating  the  damage. 
Furthermore,  eells  from  the  aetive  portion  of  the  immune  system  are  attraeted  to  inflamed  areas 
and  flow  outside  of  eellular  walls  into  the  affeeted  areas. 

Maerophages  are  eonstantly  working  by  pieking  up  extra  eellular  material,  proeessing  it 
and  transporting  it  the  lymph  nodes.  In  the  lymph  nodes,  the  maerophages  will  present  the 
material  to  the  T  eells.  If  a  T  eell  is  present  that  reeognizes  the  material,  it  (with  potentially 
several  T  eells)  will  aetivate.  The  aetivated  T  eell  will  then  undergo  eell  division  many  times  to 
inerease  the  number  of  eells  whieh  ean  respond  to  the  infeetion  (amplifieation  of  the  response) 
and  then  these  eells  will  begin  to  differentiate  into  effeetor  T  eells  whieh  will  aetually  do  the 
response. 

The  effeetor  T  eell  has  a  fixed  lifetime  of  two  to  five  days,  after  whieh  it  will 
automatieally  die.  This  allows  for  the  proper  regulation  of  the  response  to  ensure  that  the 
response  does  not  go  on  longer  than  needed.  The  seleeted  effeetor  T  eell  then  goes  to  the 
epithelium  and  direets  the  exeeution  of  the  proteetion.  Effeetor  T  eells  ean  seerete  soluble  faetors 
(eytokines)  to  tell  the  epithelium  to  do  things  like  express  new  reeeptors,  produee  new  eytokines, 
open  or  elose  passages  between  epithelial  eells,  ete.  They  also  eould  tell  the  tissue  maerophages 
to  beeome  better  antigen  presenting  eells  and  beeome  better  phagoeytie  eells.  Finally,  the 
effeetor  T  eells  may  be  of  a  killer  type  (eytotoxie  T  lymphoeytes  or  CTLs),  whieh  seek  out  virus- 
infeeted  eells  and  kill  them. 

The  nature  of  the  infeetion  and  the  type  of  eells  aetivated  would  then  determine  the 
effeetor  response  generated  sueh  that  the  response  is  fine  tuned  to  the  infeetion.  The  immune 
response  eontinues  as  long  as  there  are  funetional  effeetor  T  eells  and  that  there  is  a  need  for  the 
response.  As  long  as  there  is  antigen  present,  more  effeetor  T  eells  will  be  generated  to  replaee 
the  ones  that  are  dying  beeause  of  their  fixed  lifetime.  This  ensures  that  the  immune  response  is 
maintained  as  long  as  needed.  Onee  the  antigen  level  begins  to  fall,  there  are  fewer  stimuli  to 
produee  new  effeetor  T  eells.  The  remaining  effeetor  T  eells  simply  die  off  at  their  preseribed 
lifetime. 

Immune  system  memory  is  also  developed  during  this  proeess.  As  effeetor  T  eells  are 
ereated,  memory  B  eells,  speeifie  to  the  attaeking  antigen  are  also  ereated.  As  more  effeetor  eells 
are  ereated,  the  larger  the  infeetion,  more  memory  eells  are  ereated.  The  memory  B  eells 
aeeumulate  and  have  a  much  longer  lifetime  of  ten  to  twenty  years.  Therefore,  any  seeond 
eneounter  with  the  antigen  or  pathogen  will  trigger  the  immune  response  more  quiekly,  unlike 
the  first  eneounter  with  the  antigen  or  pathogen  where  there  were  only  a  few  B  eells  with  eould 
respond  to  the  antigen.  If  the  body  is  eontinuously  exposed  to  the  antigen  throughout  its  life, 
memory  eells  eontinuously  are  produeed,  therefore  making  the  memory  permanent  in  the  body. 
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Similarity  Between  Biological  Systems  and  Computer  Network  Systems 

In  order  to  extend  the  immune  system  model  as  a  system  to  proteet  against  DoS  attaeks  to 
a  network  of  eomputer  systems,  similarities  between  DoS  attaeks  and  biological  attacks  need  to 
be  established. 


Computer  Network 

Biological  System 

The  attacks  are  very  easy  to  implement  and 
launch.  There  are  publicly  available  tools 
that  can  be  used  to  launch  DoS  attacks, 
requiring  only  a  basic  amount  of  computer 
programming  knowledge 

The  attacks  are  essentially  ubiquitous,  with 
some  type  of  pathogen  potentially  existing  in 
almost  every  environment 

It  is  not  possible  to  prevent  or  preempt  or 
stop  a  DoS  attack  because  the  attackers  most 
likely  lie  outside  of  the  administrative  control 
of  the  system  to  be  protected 

It  is  not  possible  to  control  the  source  of  the 
infection,  as  the  body  must  take  in  large 
quantities  of  various  materials  needed  for 
survival 

Networked  systems  must  remain  accessible 
and  open.  A  networked  system  must  accept 
packets  from  the  network 

Material  must  be  consumed  for  survival  of 
the  life  form 

Network  packets  may  contain  encrypted  data; 
thus  it  may  not  be  possible  to  detect  an  attack 
until  after  it  has  begun 

The  infectious  agents  are  often  “hidden” 
within  the  volume  of  materials  taken  into  the 
body.  All  of  the  consumed  material  is 
treated  as  beneficial 

Once  launched,  the  attack  may  not  be 
detectable  until  it  has  already  done 
significant  damage 

The  host  may  not  appear  ill  until  several 
hours  or  even  days  later  (the  incubation 
period  for  infection)  when  the  infection  is 
well  established 

Stopgap  measures  are  only  minimally 
effective.  Patches  can  be  applied  to  fix  bugs 
in  software  implementations  and  protocols 
can  be  made  more  secure.  However,  it  can 
be  argued  that  no  software  is  immune  to  bugs 
and  thus  network  software  implementations 
will  always  be  vulnerable 

Modem  environmental  health  and  sanitation 
laws  and  practices  along  with 
epidemiological  studies  have  helped  to 
control  the  sources  of  some  common 
pathogens,  however  it  is  not  possible  to 
completely  prevent  infection 

Information  security  systems  are  modular  by 
nature  and  comprised  of  independent 
software  and  hardware  modules  such  as 
username/password  facilities,  public/private 
key  authentication  systems,  antiviral 
software,  cryptographic  devices  and  intrusion 
detection  hardware/software 

Immune  systems  are  modular  by  nature 
comprising  such  elements  as  skin,  etc. . . 

Differences  Between  Biological  Systems  and  Computer  Network  Systems 

It  could  be  seen  that  functions  of  both  systems  are  similar.  Both  systems  have  a  complex 
configuration,  however,  the  biological  immune  system  is  more  reliable  and  dependable.  Partially, 
this  could  be  explained  by  the  fact  that  the  “immune  problem”  is  much  simpler:  the  immune 
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system  has  to  differentiate  only  self  from  non-self  With  this  ability,  potential  attaeks  ean  be 
thwarted  before  any  damage  is  done.  The  equivalent  in  the  eomputer  systems  world  would  be  the 
ability  to  determine  normal  and  abnormal  network  traffie  and  malieious  software.  Abnormal 
network  traffie  and  malieious  software,  when  diseovered  should  be  ignored  or  bloeked. 

The  biologieal  system  also  possesses  a  variety  of  systems  that  offer  early  warning  that 
something  is  wrong.  For  example,  the  inflammation  response  oeeurs  upon  damage,  without  the 
presenee  of  an  infeetious  agent.  This  type  of  response  works  to  limit  the  damage  that  eould 
possibly  be  done  if  there  are  any  infeetious  agents.  In  a  DoS  attaek  against  a  eomputer  network, 
by  default,  all  networking  components  work  to  “assist”  the  attack.  All  of  the  networking 
components  pass  along  the  malicious  packets  without  any  regard  to  source  or  content  as  long  as 
the  packets  meet  the  minimum  network  protocol  specifications.  The  target  server  even  responds 
as  though  these  packets  are  legitimate  traffic. 

In  a  computer  security  system,  usually  only  one  facility  is  available  for  the  response  to 
any  specific  type  of  attack.  The  immune  system  is  composed  of  many  components,  some  layered 
and  some  independent,  any  of  which  can  be  inactive,  disabled,  or  defeated  without  preventing  a 
successful  immune  response. 

The  immune  system  components  also  communicate  with  each  other  in  an  ad-hoc 
measure.  Most  communication  is  a  simple  interaction  with  chemical  moderators  that  are  often 
released  to  initiate  a  further  response  pending  presence  of  other  immune  system  components. 
Once  the  response  is  underway,  the  responders  also  release  moderators  that  control  the  rate  of 
both  the  number  of  responders  and  the  size  of  the  response.  In  computer  networks,  there  is  little 
or  no  coordination  between  the  network  safeguarding  systems.  Often,  the  system  administrator 
intervention  is  the  reacting  mechanism.  Unfortunately,  this  happens  long  after  an  attack  begins 
and  perhaps  even  after  major  damage  has  been  sustained. 

Since  the  immune  system  is  composed  of  small  independent  functional  blocks,  the 
resources  of  the  immune  system  are  scalable  with  many  functions  working  in  parallel  to  fight  off 
an  attack  and  prevent  further  assaults.  If  there  is  an  infection,  once  detected,  many  of  the  immune 
system  components  can  increase  their  presence  by  multiplying,  with  many  actively  working  to 
suppress  the  immediate  attack  and  some  remaining  to  fight  off  a  recurrence.  In  the  computer 
network,  often  each  system  is  isolated,  working  independently,  with  a  few  pieces  of  software 
running  to  prevent  or  detect  an  attack.  Each  piece  of  software  added  adds  processing  load  to  the 
system,  decreasing  performance.  Typically,  the  response  to  an  attack  on  the  computer  network  is 
either  all  or  nothing.  There  is  no  scalability  depending  on  the  size  or  success  of  the  attack. 

Finally,  the  immune  system  is  completely  automatic.  Little  “user  intervention”  is  required 
for  it  to  successfully  prevent  or  eliminate  an  attack  against  the  host.  The  immune  response  scales 
to  the  size  of  the  perceived  attack  and  properly  scales  back  when  the  assault  ends.  An  attack 
against  a  computer  network  often  involves  direct  intervention  by  the  administrators  of  the 
network.  Many  man-hours  are  spent  in  the  detection,  prevention,  and  response  to  assaults  against 
these  networks.  Often  computer  attacks  are  successful  from  complacency,  poor  training,  lack  of 
attention  to  software  holes  and  patches,  and  plain  incompetence. 

Dynamics  of  the  Immune  Response 

A  quantitative  description  of  the  autonomic  immune  response  provides  a  means  for 
understanding  major  interactions  between  the  components  of  the  immune  system  and  the 
intruding  antigen,  and  the  dynamics  of  these  interactions.  Moreover,  it  allows  for  the  establishing 
the  conditions  for  three  possible  outcomes  of  such  interaction,  full  recovery  from  infection. 
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chronic  infection,  and  death  of  the  host.  It  should  be  elear  that  the  proposed  equations  provide  a 
simplified  deseription  of  the  aetual  biologieal  phenomena.  Moreover,  these  equations  are  only  as 
aeeurate  as  their  eonstants.  In  the  ease  of  the  immune  system  these  eonstants  ean  be  only  roughly 
guessed.  Therefore,  the  established  equations  eannot  be  effeetively  used  for  the  predietion  of  the 
outeome  of  a  disease  eaused  by  the  antigen  or  for  the  modifieation  of  the  immune  “eontrol  law”. 
However,  the  importanee  of  these  equations  for  the  eomputer  network  applieations  shall  not  be 
underestimated. 

First,  they  deseribe  the  prineiple  of  operation  of  a  system  providing  very  sueeessful 
defense  against  information  attaeks.  Seeond,  beeause  in  the  ease  of  a  eomputer  network, 
parameters  of  the  equations  eould  be  aeeurately  estimated  that  makes  them  aeeurate  and 
dependable.  Third,  they  eould  be  instrumental  for  the  analysis  and  design  of  defense  meehanisms 
intended  for  eomputer  networks. 

The  speeifie  immune  response  is  the  main  meehanism  enabling  the  immune  system  to 
destroy  intruding  antigen.  Various  lymphoeytes  and  proteins  that  are  uniquely  equipped  for 
eounteraeting  any  partieular  antigen  aeeomplish  this.  Eaeh  lymphoeyte  is  keyed  with  a  speeifie 
reeeptor  for  speeifie  non-self  proteins.  The  immune  system  eontinuously  manufaetures  these 
reeeptors,  speeializing  to  at  least  10^'^  various  genotypes. 

The  aetual  ability  of  the  immune  system  to  destroy  the  intruding  antigen  depends  on  the 
eoneentration  of  eorresponding  speeialized  fighter  eells  and  antigen.  If  a  speeifie  antigen  has  not 
attaeked  the  host,  the  eoneentration  of  fighter  eells  responsible  for  a  respond  to  an  attaek  from 
the  partieular  antigen  are  minimal.  Sinee  it  is  unlikely  that  10^'^  different  antigens  will  attaek  the 
host  in  any  partieular  period  in  time,  an  immune  memory  is  developed  to  eounteraet  eommon 
assaults. 

During  a  response  to  a  speeifie  attaek,  two  types  of  immune  eells  are  ereated.  To  assist  in 
the  eurrent  assault,  short-lived  fighter  eells  are  ereated.  For  potential  future  assaults,  long  term 
“memory  eells”  are  ereated  with  a  lifetime  of  ten  to  twenty  years.  These  memory  eells  inerease 
the  natural  baekground  level  of  the  speeifie  antigen  responsible  for  the  assault  thereby  inereasing 
the  probability  of  the  deteetion  of  an  attaek  in  any  period  of  time. 

Consider  the  immune  response  in  the  ease  when  a  speeifie  antigen  infeets  a  biologieal 
organism.  Introduee  quantity  C(t)  representing  the  eoneentration  of  the  immune  eells  earrying 
the  genotype  of  the  intruder  and,  therefore,  uniquely  speeified  in  eounteraeting  it.  This 
eoneentration  is  time-dependent,  and  in  the  absenee  of  the  eorresponding  antigen  is  subjeet  to  a 
slow  natural  deerease  that  eould  be  expressed  as  a  slow  deeaying  exponential  proeess 

C(t)=  C(to)e““(^“^o^  (1) 

where 

t  -  is  eurrent  time, 

to  -  is  some  fixed  moment  of  time,  to  <  t, 

a  -  is  a  positive  eonstant  that  eould  be  ehosen  to  refieet  the  following  reality:  during  a  50- 
year  period  the  eoneentration  deereases  to  less  than  one  pereent  of  its  initial  value. 

It  is  more  praetieal  to  rewrite  the  above  equation  as 

C(t)=Coe-“'  (2) 

where  C(to)  =  Co  -  Equation  (2)  should  be  eonsidered  as  the  “natural  motion”  equation  of  the 
immune  defense  meehanism.  It  eould  be  seen  that  the  natural  dynamies  of  the  immune 
meehanism  is  stable. 
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Introduce  quantity  P(t)  representing  the  coneentration  of  the  intruding  antigen  cells.  This 
eoneentration  is  also  time-dependent:  the  antigen  utilize  the  available  resources  of  the  biologieal 
organism  to  multiply,  and  in  the  absence  of  the  eorresponding  fighter  cells  this  eoneentration  is 
subject  to  a  relatively  fast  inerease  that  could  be  expressed  as 

P(t)=  P(ti)eP^‘“‘i^  (3) 


where 

ti  -  is  the  moment  of  infection,  ti<  t, 
(3  -  is  a  positive  number,  13»a 


Equation  (3)  represents  the  antigen  multiplication  process  within  a  biological  organism  in  the 
absenee  of  the  immune  response  attempting  to  counteraet  this  process.  Therefore  (3)  should  be 
eonsidered  as  the  “natural  motion”  equation  of  the  antigen  multiplication  process.  It  could  be 
seen  that  the  natural  dynamies  of  this  proeess  is  unstable.  It  should  be  realized  that  the  antigen 
multiplieation  takes  place  at  the  expense  of  the  invaded  biologieal  organism  and  therefore 
quantity  (3  could  be  viewed  as  the  “available  share  of  the  resources”  of  the  organism  and  is  time- 
dependent. 

The  immune  response  is  preceded  by  the  deteetion  of  the  invaded  antigen.  This  is 
aceomplished  by  the  physieal  contact  between  the  antigen  cell  and  the  specialized  immune 
fighter  eell  that  takes  place  some  time  after  the  moment  of  infeetion,  ti.  Consider  the  moment  of 
the  detection  of  the  antigen,  t2=ti+T.  While  both  the  antigen  and  fighter  eells  are  dispersed 
within  the  body,  the  time  delay  is  a  random  variable  and  could  be  characterized  by  the  its 
average  value  that  is  inversely  proportioned  to  the  concentrations  of  these  cells,  C(t)  and  P(t),  i.e. 


where 

k  >  0  is  some  eonstant. 


k 

C(t)P(t) 


(4) 


After  the  invaded  antigen  has  been  detected,  the  immune  response  could  be  visualized  as 
a  negative  feedbaek  control  process  that  maintains  the  concentration  of  the  fighter  eells  sufficient 
for  the  complete  elimination  of  the  antigen.  It  eould  be  theorized  that  until  the  intruders  are 
present,  the  coneentration  of  the  fighter  cells  exponentially  increases  following  the  equation 

C(t)=  C(t-ti-T)e^'*-*'“^’  (5) 


Note  that  during  the  time  interval  x  coneentration  C(t)  changes  very  little,  and  therefore  (5)  eould 
be  rewritten  as 


C(t)=  (6) 

where  5  is  a  non-negative  number  dependent  on  the  eurrent  concentration  of  the  antigen  as 
follows 
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f  >0  ifP(t)>0 
‘'^M=-a  ifP(t)=0 


(V) 


It  could  be  seen  from  (7)  that  in  the  absenee  of  antigen  C(t)  reverts  to  the  natural  motion  pattern. 

The  existenee  and  multiplieation  of  tighter  cells  also  consumes  limited  resources  of  the 
biologieal  organism,  competing  for  these  resourees  with  the  multiplying  antigen  eells.  The 
quantity  5(t)>0  also  could  be  viewed  as  the  “available  share  of  the  resources”  and  therefore  the 
following  eonstraint  should  be  expeeted; 

Ki  [|3(t)+5(t)]+  K2[C(t)+P(t)]  <  const  (8) 

where  Ki  and  K2  are  eoeffieients  refleeting  the  “eost  of  multiplieation”  and  the  “eost  of  living” 
of  the  immune  fighter  cells  and  antigen  eells. 

Now  we  ean  summarize  the  above  equations  in  the  following  block  diagram  representing 
the  logistie  and  dynamies  of  the  immune  response  and  faeilitating  its  simulation  analysis. 

Bloek  ANTIGEN  represents  the  dynamies  of  the  multiplieation  of  the  antigen  cells  aeeording  to 
equation  (3).  Bloek  IMMUNE  describes  both  the  “natural”  and  “foreed”  dynamies  of  the 
multiplication  of  the  immune  fighter  eells  in  consistenee  with  equations  (2),  (6)  and  (7).  It  could 
be  seen  that  the  multiplieation  rate  of  both  types  of 


Figure  5-1  Logistical  and  Dynamics  of  Immune  Response 


eounteraeting  eells  is  limited  as  they  share  the  limited  resourees  of  the  infected  biological 
organism.  Block  DELAY  is  responsible  for  the  implementation  of  the  variable  delay  in  the 
immune  response  ehannel,  as  per  equation  (4).  Bloek  NL  prevents  the  simulation  system  from 
the  appearanee  of  negative  concentrations  of  the  immune  and  antigen  cells. 

The  simulation  of  immune  responses  is  initiated  by  applying  a  pulse-type  signal 


Po(t)- 


jP(ti), 


0<  t<  At 
t  >  At 
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where  At  is  the  simulation  time  step  and  P(ti)  represents  the  severity  of  infeetion.  Depending  on 
the  initial  choice  of  the  simulation  constants,  the  simulation  will  lead  to  the  following  outcomes: 

1 .  Lethality:  the  antigen  cells  multiply  faster  than  the  fighter  cells  and  consequently 
overwhelms  the  immune  defenses. 

2.  Chronic  infection:  an  unstable  balance  between  the  concentration  of  fighter  cells  and 
the  concentration  of  the  specialized  immune  fighter  cells. 

3 .  Full  recovery:  the  immune  fighter  cells  multiply  faster  than  the  antigen  cells  and 
consequently  neutralize  the  intruder. 

The  following  situations  were  subjected  to  simulation  analysis  utilizing  the  developed 
equations: 

a-  effect  of  the  concentration  of  the  antigen  cells  in  the  “full  recovery”  case  obtained  for 
various  detection  delays  values.  It  could  be  seen  that  as  the  detection  time  increases  due  to  low 
immunity  to  the  particular  antigen  (low  initial  concentration  of  the  specialized  immune  fighter 
cells)  the  severity  and  duration  of  the  disease  increases,  see  Figure  below. 

b  -  effect  of  the  concentration  of  the  antigen  cells  in  the  “full  recovery”  case  obtained  for 
various  initial  concentrations  of  the  antigen  cells  (severity  of  the  infection).  It  could  be  seen  that 
due  a  very  rapid  multiplication  of  the  antigen  cells,  their  initial  concentration  manifests  itself 
primarily  by  affecting  the  detection  time. 

c  -  effect  of  the  concentration  of  the  antigen  cells  in  the  “full  recovery”  and  “lethality” 
cases  obtained  for  various  detection  delays  values.  It  could  be  seen  that  as  the  detection  time 
increases  due  to  low  immunity,  the  multiplying  antigen  cells,  before  being  detected  and 
counteracted,  occupy  the  increased  share  of  the  available  recourses  of  the  organism. 
Consequently,  after  exceeding  some  threshold,  they  prevent  the  immune  fighter  cells  from 
successfully  multiplying  thus  gaining  the  control  over  the  organism  and  causing  its  effective 
death. 

The  described  outcomes  of  a  disease  caused  by  infection  could  be  easily  interpreted  in 
terms  of  a  computer  network  subjected  to  an  information  attack.  One  can  realize  that  the 
“lethality”  outcome  is  consistent  with  the  outcome  of  a  successful  DoS  or  a  virus  attack 
completely  disabling  a  specific  computer  or  network.  The  “chronic  disease”  case  could  be 
visualized  as  a  partial  loss  of  the  network  operation  and  throughput.  As  it  was  initially  said, 
familiarity  with  the  configuration,  hardware  and  software  components  of  a  computer  network 
creates  the  conditions  when  particular  parameters  of  the  equations  describing  the  “immune 
response”  could  be  established  with  sufficient  accuracy.  While  some  of  these  parameters  should 
be  viewed  as  constants,  other  parameters  could  be  varied  by  reconfiguring  the  network, 
introducing  novel  attach  detection  software,  “borrowing”  additional  resources  from  another 
network,  etc.  Intentional  variation  of  the  network  characteristics  with  the  purpose  of  achieving 
the  assurance  of  the  “full  recovery”  outcome  of  an  information  attack  constitutes  the  control 
effort  that  could  be  administered  by  the  network  operator  or  automatically. 

The  consequent  efforts  of  this  research  will  be  directed  at  the  establishing  realistic 
models  of  the  network  defense  system  dynamics,  characteristics  of  particular  types  of 
information  attacks,  analysis  of  the  “bottlenecks”  of  the  network  defense  systems,  and  finally, 
development  of  dependable  control  laws. 
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W. Concentration  of  antigen  celts  (moment  of  infection=10  sec)  X 


Figure  5-2:  Antigen  Cells  vs.  Time  (Base  on  Deterction  Rate) 
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VI.  Methods  of  Immunocomputing  and  Computer  Network 

Security 


Based  on  the  principles  established  for  the  immune  system,  a  new  computational 
technique,  called  the  Artificial  Immune  System  (AIS),  is  rapidly  emerging,  which  appears  to 
offer  powerful  and  robust  information  processing  capabilities  for  solving  complex  problems. 

Like  Artificial  Neural  Networks  (e.g.  see  [13]),  AISs  can  learn  new  information,  recall 
previously  learned  information,  and  perform  pattern  recognition  in  a  highly  decentralized, 
efficient  fashion.  Researches  have  started  using  AISs  in  many  applications  including  information 
security,  vaccine  design,  fault  detection,  data  mining,  robotics,  etc.  [2]. 

A  rigorous  mathematical  basis  of  AIS  based  on  a  biological  prototype  of  immune  network 
and  on  the  notions  of formal  protein  and  formal  immune  network  has  been  proposed  in  [1].  We 
referred  this  model  as  formal  immune  system,  or  immunocomputing  (IC).  This  paper  provides  a 
further  development  of  our  IC  approach  and  its  application  to  pattern  recognition.  The  approach 
reflects  the  fact  that  recognition  is  the  basic  function  performed  by  the  immune  system  and 
provides  a  mathematical  apparatus,  uniquely  suitable  for  describing  recognition  as  it  is 
performed  in  nature,  i.e.  based  on  the  features  of  recognizing  (binding)  antigen  by  antibodies  in 
the  immune  system.  In  the  natural  immune  system,  local  binding  of  immune  cells  and  molecules 
to  antigenic  peptides  is  based  generally  on  the  behavior  of  surface  proteins.  In  particular, 
immune  cells  contain  proteins  on  their  receptors  that  apparently  play  the  key  role  both  in 
immune  response  and  recognition  processes. 

In  this  work,  we  consider  a  model  of  the  proteins  as  Formal  Protein  (FP)  coded  by  a  real 
unit  vector.  We  propose  also  a  mathematical  model  of  binding,  or  recognizing  between  the 
proteins.  According  to  the  biological  prototype,  the  central  notion  of  this  model  is  binding 
energy.  We  determine  the  binding  energy  between  a  pair  of  FPs  by  a  bilinear  form  over  the  pair 
of  corresponding  unit  vectors.  This  bilinear  form  is  determined  by  a  real  rectangular  matrix. 

Thus,  we  obtain  a  convenient  quantitative  measure  of  the  extent  of  recognition  between  the  FPs. 
The  low  is  binding  energy  -  the  better  is  recognition,  and  vice  versa.  Simply  put,  the  binding 
energy  is  the  energy  that  should  be  applied  to  bind  the  FPs.  The  positive  energy  corresponds  to 
the  repulsion  between  the  FPs,  while  the  negative  energy  corresponds  to  the  attraction  between 
them.  Thus,  the  minimal  negative  energy  corresponds  to  the  strongest  attraction  and 
consequently,  the  best  recognition  between  the  FPs. 

This  model  leads  to  the  formulation  of  a  rigorous  IC  approach  to  pattern  recognition. 
Within  the  approach  any  pattern  is  considered  as  a  set  of  characteristics,  represented  by  real 
values.  There  are  at  least  two  ways  to  represent  a  pattern.  First,  by  transforming  the  set  into  a 
rectangular  matrix  we  facilitate  the  determination  of  the  binding  energy  between  any  pair  of  FPs. 
This  allows  for  establishing  the  pattern  recognition  mode  by  the  so-called  supervised  learning,  or 
training  by  an  expert.  Second,  by  transforming  the  set  into  the  unit  vector  we  represent  the 
pattern  as  an  FP.  This  allows  for  establishing  the  unsupervised  learning,  or  automated 
classification  of  the  patterns.  In  both  cases  some  optimal  set  of  FPs  is  computed  for  any  given  set 
of  pattern  samples.  An  optimal  set  of  probes  is  used  to  recognize  the  patterns^  similar  to  the 
samples.  The  similarity  criterion  is  based  on  the  proximity  between  the  values  of  the  binding 
energy.  For  the  supervised  learning  the  recognition  is  based  on  the  minimal  value  of  the  binding 
energy.  More  specific,  the  pattern  is  recognized  by-such  a  pair  of  the  FPs  that  provides  the 
minimum  of  the  binding  energy  among  all  pairs  of  the  probes.  For  the  unsupervised  learning  the 
recognition  is  based  on  the  minimal  geometric  distance  of  the  binding  energies  between  the  pairs 


30 


"sample-probe"  and  the  pairs  "probe-probe".  Such  an  approach  results  in  rather  fine  classification 
of  the  patterns  and  provides  the  visualization  of  the  classes  as  the  points  in  a  special  plane. 

As  a  demonstration  of  this  IC  approach  to  pattern  recognition  consider  its  application  to  the 
problem  of  intrusion  detection  in  computer  networks.  In  this  case  any  pattern  represents  a  set  of 
the  network  connection  records,  such  as  duration  of  the  connections,  number  of  the  sent  and 
received  data  bytes,  packages,  and  so  on,  in  conjunction  with  normal  behavior  of  the  network 
and  during  an  intrusion.  The  example  shows  how  an  attack  could  be  recognized  by  the  proposed 
approach. 

Mathematical  basis 

According  to  [9],  any  unit  vector  P  with  n  real-valued  components 

P  =  [pi,  ...,Pnf,  PP^  =  l 

can  be  considered  as  a  special  kind  of  FP  with  n-1  links. 

Binding  energy  between  any  pair  of  such  FPs:  {P,  R},  of  the  dimensions  np  and  hr, 
correspondingly,  can  be  defined  by  a  bilinear  form; 

w  =  -P^MR,  (1) 

where  M  is  a  matrix  of  dimension  npXnp. 

It  is  known  (e.g.  see  [5]),  that  extreme  values  of  the  bilinear  form  (1)  are  determined  by  the 
so-called  Singular  Value  Decomposition  (SVD)  of  the  matrix: 

M  =  s,PjR]  +...  +  s,P,rI  ,  (2) 

where  Si  are  singular  values;  Pi  and  i?,  are  left  and  right  singular  vectors;  r  is  rank  of  the  matrix. 

Such  SVD  exists  for  any  rectangular  matrix  over  the  field  of  real  values.  Singular  values  and 
singular  vectors  possess  the  following  useful  properties: 

Sj  >S2  >...>S,>0, 

Pfp=l,  RfRi  =1,  i  =  l,...,r, 

Pi  Pi  =0,  RjRi=0,  J^i. 

Let  us  consider  binding  as  recognizing  between  FPs.  Then  binding  energy  can  be  viewed  as  a 
numerical  measure  of  the  recognition:  the  lower  this  energy  is  -  the  better  is  recognition,  and 
vice  versa.  At  the  same  time,  if  matrix  M  is  given,  then  the  pair  of  the  FPs  with  extreme 
recognition  ability  is  corresponded  to  the  first  singular  vectors  Pi  and  i?/  of  this  matrix,  while  the 
maximal  singular  value  s i  determines  the  minimal  binding  energy: 

W*  =  -Pi  MR  J , 

w*  <  w(P,R ),  \JP,R  :  P^P  =  R^R  =  1 . 
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Such  rigorous  mathematical  properties  of  the  binding  energy  between  the  FPs  that  are  based  on 
the  bilinear  form  (1)  and  the  SVD  (2)  provides  the  computational  basis  for  developing  a  rigorous 
IC  approach  to  pattern  recognition. 

Pattern  recognition 

In  general,  pattern  recognition  can  be  defined  as  follows.  Let  us  treat  real  values  xi,  .... 
as  a  set  of  characteristics.  Consider  an  arbitrary  vector  X=[ xj,  ....  as  a  pattern  that  belongs 
to  a  characteristic  space  {X}.  Consider,  that  the  space  can  be  partitioned  onto  the  subsets 
(classes)  {X}c ,  c=l,  2,  ...k.  Then  recognition  of  a  sample  X  implies  the  determination  of  such  a 
class  c  that  Xa  {X}c,  while  learning  implies  the  partitioning  (classification)  of  the  eharacteristic 
space.  If  the  space  is  being  partitioned  into  known  classes  by  experts,  then  it  is  known  as 
supervised  learning  (or  training).  If  the  number  of  the  elasses  k  and  the  elass  definitions  are 
unknown  a  priory,  then  the  situation  is  referred  to  as  unsupervised  learning. 

The  use  of  the  binding  energy  between  the  FPs  as  the  rigorous  measure  of  the  recognition 
constitutes  the  main  feature  of  the  IC  approach  to  pattern  reeognition.  This  approaeh  is  outlined 
as  follows. 

Supervised  Learning 

Folding  vectors  to  matrices 

Fold  vector  X  of  dimension  nxl  to  a  matrix  M  of  dimension  npXnR=n.  It  has  been  shown 
formally  in  [7],  that  this  operation  increases  the  specifieity  of  recognition. 

Learning 

Form  matrices  Mp...,  Mk  for  all  classes  c=l,...,k,  and  eompute  their  singular  veetors: 


{Pi,  Rj}  -  for  Ml,  ...  ,  (Pk,  Rk}  -  for  Mu. 


Recognition 

For  each  input  pattern  {sample)  M  compute  k  values  of  the  binding  energy  between  each 
pair  of  the  singular  vectors  {probe): 

wi  =  - P/MRi ,  ... ,  Wk  =  -PkMRk. 


Determine  the  class  to  which  the  pattern  belongs  by  the  minimal  value  of  the  binding  energy: 

c  .•  w*  =  min{ } .  (3) 

C 


Unsupervised  Learning 

Consider  the  matrix  M=  [Xi...  X^J^  of  dimension  mxn  formed  by  m  vectors  (patterns)  Xi, 
....  Xm.  Consider  the  SVD  of  this  matrix: 


Pll 

P2I 

Rj  +S2 

_Pln_ 

a: 

(4) 
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where  5a  S2  are  the  first  two  singular  values,  and  i?/,  R2  are  the  right  singular  veetors. 

Note,  that  every  string  i  of  the  matrix  M  represents  the  values  Xy  of  n  eharaeteristies  of  the 
pattern  where  i=l,...,m  and  j=l,...,n.  Henee,  aecording  to  the  SVD  properties,  the 
eomponents  pji,  p2i  of  the  left  singular  vectors  Pi,  P2  satisfy  the  following  equations: 


where 


Comparison  of  (1)  and  (5)  makes  obvious,  that  the  components  pn,  p2i  can  be  computed 
as  binding  energies  wn,  W2i  between  the  FP  P(Xi)  and  the  FPs  Ri,  R2,  correspondingly.  Thus, 
every  vector  Z;  with  n>2  characteristics  can  be  mapped  onto  only  two  values  of  binding  energies. 

Such  mapping  gives  a  mathematically  rigorous  way  to  represent  and  view  all  patterns, 
regardless  of  the  number  of  characteristics,  as  points  in  two-dimensional  space  of  binding 
energies  {wi,  W2}.  This  plane  could  be  treated  also  as  a  shape  space  of  the  IC,  according  to  [3]. 
Such  representation  of  patterns  in  the  shape  space  of  the  IC  allows  classifying  them  in  a  natural 
way  by  the  groups  {clusters)  of  the  neighboring  points.  Such  classifying  can  be  performed  by 
experts  using  supervised  training  as  well  as  without  experts  using  unsupervised  learning. 

Therefore,  the  technique  of  the  unsupervised  learning  by  the  IC  approach  is  as  follows. 

First,  the  matrix  M=  [Xj...  X^]^  is  formed  by  all  samples  Xi,  ... ,  X^. 

Second,  the  SVD  of  this  matrix  (2)  is  computed  to  obtain  the  first  r  singular  values  si,...,Sr 
and  singular  vectors  Pi,  Rj Pr,  Rr  ■ 

Third,  two  right  singular  vectors  Rmi,  Rmi  are  chosen  as  the  "antibodies",  or  the  probes. 
Usually,  the  first  two  singular  vectors  i?;,  R2  are  to  be  chosen.  However,  in  some  cases  another 
pair  of  the  probes  can  result  in  even  more  fine  classification  of  the  patterns. 

Forth,  all  initial  samples  X;,  ... ,  X^  are  mapped  onto  the  plane,  according  to  (5). 

Fifth,  the  clusters  (classes)  of  the  patterns  are  formed,  according  to  the  proximity  of  the 
corresponding  points  in  the  plane.  A  vector  norm  can  serve  as  the  measure  of  the  proximity,  any 
method  used  in  the  traditional  pattern  recognition  (e.g.  see  review  in  [7])  can  be  employed  as  the 
method  of  forming  clusters. 

Sixth,  the  recognition  of  any  sample  X  can  be  performed  by  mapping  it  onto  the  plane  as 
the  point,  according  to  (5).  Then  the  class  of  the  sample  is  determined  by  the  cluster  of  the 
nearest  points  in  the  plane. 

The  IC  approach  to  pattern  recognition  has  already  appeared  to  be  useful  in  solving  a 
number  of  important  practical  tasks,  including  detection  of  dangerous  situations  in  near-Earth 
space  [9],  detection  of  the  similarity  in  the  dynamics  of  the  infectious  diseases  in  Russia  [7], 
computation  of  the  map  of  complex  appraisal  of  environmental  conditions  in  the  city  of 
Kaliningrad  [6],  and  the  utilization  of  space-time  dynamics  of  the  plague  infection  in  Central 
Asia  for  health  risk  assessment  [11].  Consider  now  a  possible  application  of  the  IC  approach  to 
intrusion  detection  in  computer  networks. 
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Application  to  intrusion  detection 

A  numerical  experiment  was  staged  using  a  fragment  of  the  database  by  [1]  representing 
several  types  of  intrusions,  as  shown  in  Tab.  1  and  Tab.  2. 

First  column  of  Tab.  1  presents  conventional  names  of  the  15  intrusion  types 
(apache2,. . .,  xsnoop)  and  a  normal  behavior  of  the  network  connection  (normal).  Second 
column  assigns  short  names  to  the  intrusion  types  as  listed  in  Tab.  2.  The  rest  columns  of  Tab.  1 
show  auxiliary  conditions  under  which  the  data  of  the  intrusions  had  been  recorded  (columns 
'T'',...,''33''  in  Tab.  2). 


Table  6-1.  Types  of  intrusions 


Intrusion  type 

Sign 

Protocol 

type 

Service 

apache2 

ap2 

Top 

http 

buffer  overflow 

b  0 

Tcp 

telnet 

guess_passwd 

g_P 

Top 

pop_3 

ipsweep 

ips 

Icmp 

ecoi 

multihop 

mul 

Tcp 

telnet 

named 

nam 

Tcp 

domain 

normal 

norm 

Udp 

private 

phf 

phf 

Tcp 

http 

pod 

pod 

Icmp 

ecri 

portsweep 

por 

Tcp 

private 

saint 

St 

Tcp 

private 

sendmail 

se 

Tcp 

smtp 

snmpgetattack 

snm 

Udp 

private 

udpstorm 

ud 

Udp 

private 

xlock 

xlo 

Tcp 

XI 1 

xsnoop 

xsn 

Tcp 

XI 1 

The  database  fragment  in  Tab.  2  below  presents  106  records  (column  "#")  on  the  several 
types  of  the  intrusions  (column  "Sign").  The  fragment  utilizes  33  characteristics  (columns 
'T",...,"33")  for  the  network  connection  records,  including  lengths  (number  of  seconds)  of  the 
connection  (column  "1"),  number  of  data  bytes  from  source  to  destination  (column  "2"),  from 
destination  to  source  (column  "3"),  and  so  forth  (the  rest  of  columns). 

These  data  were  represented  in  the  shape  space  of  the  IC  as  follows.  A  matrix  M  of 
dimension  106x33  was  formed  by  all  input  data  of  Tab.  2  (rows  "1"  -  "106"  and  columns  "1"  - 
"33").  The  SVD  of  this  matrix  was  computed  according  to  (4).  For  guaranteed  classification  of 
intrusions  this  SVD  involved  6  singular  values  si,  ,  $6  and  corresponded  pairs  of  left  and  right 
singular  vectors  Pi,  Ri,  ...,  P 6,  Re  -  The  last  two  right  singular  vectors  i? 5,  were  taken  as  two 

"antibodies"  {FP-1,  FP-2}.  Accordingly,  every  string  M,  (row  of  Tab.  2)  of  the  matrix  M,  where 
i=l,...106,  was  considered  as  one  of  the  following  FPs:  {FPi ,  ... ,  FPioe}.  Then,  according  to  (1) 
and  (5),  the  components  of  the  left  singular  vectors  P5  and  Pe  represented  two  values  (wj ,  W2}  of 
the  binding  energy  between  any  FPi  and  each  "antibody": 


wii  =  >v(FP-l,  FPi),  W2i  =  >v(FP-2,  FPj), 
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Table  6-2.  Intrusion  records  (columns  'T"..."33")  and  shape 
space  coordinates  of  the  intrusions  (columns  ’’wi’’,  ’’W2’’) 


# 

Sign 

1 

2 

..  33 

Wi 

W2 

1 

ap2 

906 

57964 

0 

-0.044 

-0.018 

11 

bo 

198 

2442 

0 

0.117 

-0.082 

26 

mul 

69 

331 

0 

0.116 

-0.088 

45 

nor 

0 

223 

0 

-0.216 

0.065 

m 

51 

phf 

0 

0 

0.06 

-0.008 

0.003 

52 

pod 

0 

1480 

0 

0.113 

-0.090 

62 

por 

0 

0 

1 

0.113 

-0.081 

79 

st 

0 

0 

0 

0.119 

0.361 

82 

se 

2 

4485 

0 

0.112 

-0.089 

88 

snm 

0 

105 

0 

-0.132 

-0.014 

98 

ud 

0 

0 

0 

0.001 

0.004 

99 

xlo 

199 

56124 

0 

0.108 

-0.077 

10 

xsn 

50 

226 

0 

0.114 

-0.088 

6 

All  these  values  are  shown  also  in  Tab.  2  (columns  "wT  and  "W2")  and  represented 
geometrically  in  Fig.  1. 

Therefore,  any  intrusion  record  with  33  characteristics  (see  rows  of  Tab.  2)  is  represented 
in  Fig.  1  as  a  point  in  the  IC  shape  space.  A  number  of  the  point  corresponds  to  the  number  of 
the  intrusion  record  from  Tab.  2.  Horizontal  coordinate  of  the  point  corresponds  to  the  value  w; 
and  vertical  coordinate  corresponds  to  the  value  W2. 

As  one  can  see  from  Fig.  1  below,  the  main  advantage  of  such  a  representation  is  that  the 
points  form  clear  groups  (classes)  in  the  shape  space.  Such  classes  (rounded  in  Fig.  1  for  the  sake 
of  obviousness)  correspond  to  the  normal  behavior  and  the  intrusion  types.  In  other  words,  we 
have  obtained  a  classification  of  the  intrusions  by  the  unsupervised  learning.  The  obtained 
classification  shows  that  the  IC  approach  separates  surely  normal  behavior  from  intrusions. 
Indeed,  the  points,  which  correspond  to  the  normal  behavior  ("norm"  points  ##  45,  46,  49,  50,  as 
well  as  the  point  #48,  can  be  separated  clearly  from  the  other  points,  which  correspond  to 
intrusions.  Moreover,  Tab.  2  and  Fig.  1  allow  for  reliable  detection  (separation)  almost  all  types 
of  the  intrusions  as  relatively  close  points  in  the  shape  space.  Zooming  in  with  Fig.  1  can 
produce  more  thorough  analysis  within  the  types  of  intrusions. 
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Figure  6-1.  Intrusion  records  in  the  IC  shape  space. 

Using  such  classification,  the  IC  approach  could  recognize  the  intrusion  in  the  following 
fashion. 

Any  network  connection  data  should  be  recorded  as  a  vector  with  33  components: 

X=  [xi,  ... ,  xssf . 

The  values  of  the  components  of  this  vector  correspond  to  the  characteristics  "1"  -  "33" 
of  Tab.  2.  Then  two  values  wi,  W2  of  the  binding  energy  should  be  computed  according  to  the 
bilinear  forms  in  (1)  and  (5): 


W]  = - R5  ,  ^2  ~ - ^6  ■ 

S5  Sf, 

The  point-sample  with  such  coordinates  could  be  compared  with  any  point-probe  in  the 
shape  space  to  find  the  closest  one.  This  proximity  could  be  quantified  by  Euclidean  norm  or  any 
other  norm.  Thus,  the  closest  point-probe  could  determine  either  a  normal  behavior,  or  a  type  of 
intrusion  for  the  point-sample,  which  represent  the  recognizing  type  of  the  network  connection. 

For  example,  consider  the  row  #45  of  Tab.  2  as  a  set  of  characteristics  of  a  checking 
network  connection.  Then,  according  to  Fig.  1,  the  closest  point-probe  in  the  shape  space  is  a 
point  #46.  As  the  point-probe  #46  corresponds  to  the  normal  behavior,  then  the  point-sample  #45 
could  be  recognized  as  the  normal  behavior  of  the  checking  network  connection. 

Another  method  of  intrusion  detection  by  the  IC  approach  could  be  also  based  on  the 
supervised  learning  (see  section  UFA)  without  using  shape  space  representation.  In  this  case  any 
network  connection  record  with  33  components  should  be  folded  to  a  matrix  M  of  dimension 
3x1 1  as  follows: 


X,  . 

■■  ^11 

^12  ■ 

■■  ^22 

^23  ■ 

■■  ^33 
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In  the  learning  mode  a  training  set  of  reeords  should  be  used  to  form  matriees  Mapp2 ,  , 

Mxsn  for  the  types  of  intrusions  and  a  matrix  Mnorm  for  the  normal  behavior.  SVD  of  eaeh  matrix 
results  in  a  pair  of  the  fist  left  and  right  singular  veetors  {Pj,  RJ  serving  as  a  pair  of  probes 
("antibodies")  for  eaeh  learning  elass: 

{Pi,  Rijappi ,  ... .  {Pi,  Ri}  xsn  j  {Pi,  Ri}  norm  • 

In  the  reeognition  mode,  any  eheeking  reeord  X  should  be  folded  to  the  matrix  M.  Then 
16  values  of  the  binding  energy  between  the  probes  should  be  eomputed; 


w 


app2 


Wy 


{Ri  }app2p^{Rl}app2  ?  . 

=  ~{Pj  }xsn  M{Ri  Ixsn  , 
=  -{Pl}  norm  M(Rj} 

norm 


According  to  (3),  intrusion  type  could  be  recognized  by  the  minimal  value  of  the  binding 

energy: 


w*  =  min{  W^pp2 }  . 

Simply  put,  the  class  of  the  pair  of  probes  that  corresponds  to  the  minimal  value  of  the 
binding  energy  is  the  type  of  intrusion  or  the  normal  behavior. 

To  improve  intrusion  detection,  the  two  methods  of  recognition,  supervised  learning  and 
unsupervised  learning  using  shape  space  could  be  combined. 

Intrusion  features  analysis 

The  proposed  approach  is  able  also  to  reduce  essentially  the  number  of  recording 
characteristics  of  the  network  connection  for  intrusion  detection.  In  other  words,  the  approach 
allows  selecting  most  useful  features  of  the  network  traffic  to  distinguish  normal  connection 
from  attack.  In  could  be  done  as  follows. 

According  to  the  previous  section,  consider  the  coordinates  R5,  Rs  of  two  "antibodies"- 
probes  shown  in  Tab.  3.  Every  pair  of  these  coordinates  (row  of  Tab.  3)  represents  one  of  the  33 
characteristics  (first  column  of  Tab.  3)  of  the  network  connections  used  in  the  fragment  of  the 
database  of  our  numerical  experiment. 

Representation  of  these  coordinates  as  points  in  the  shape  space  of  the  IC  allows  to  select 
the  most  distinctive  points  that  stand  somehow  out  relatively  to  a  background  of  other  points. 
Such  distinctive  points  are  picked  out  as  bolded  rows  ##  1,  15,  16,  24,  25,  26,  33  in  Tab.  3 
below.  As  one  can  see,  these  points  have  relatively  big  values  of  their  coordinates. 

Another  numerical  experiment  was  staged  using  this  reduced  set  of  seven  characteristics. 
According  to  the  previous  section,  a  matrix  M  of  dimension  106x7  was  formed  by  input  data  of 
Tab.  2  (rows  "1"  -  "106"  and  columns  "1",  "15",  "16",  "24",  "25",  "26",  "33").  The  SVD  of  this 
matrix  was  computed  according  to  (4),  and  so  forth.  Finally,  the  shape  space  representation  of 
the  data  was  computed.  Remarkably,  that  the  reduced  set  of  7  selected  characteristics  gives 
almost  the  same  results,  as  the  full  set  of  33  characteristics  in  Fig.  1.  The  reduced  set  also 
separates  surely  normal  behavior  from  intrusions  and  detects  reliably  almost  all  types  of  the 
intrusions  as  relatively  close  points  in  the  shape  space. 
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Table  6-3  .  Coordinates  of  "antibodies"-probes 


characteristic 

# 

Rs 

Re 

1 

0.0883 

0.0002 

2 

0.0000 

-0.0000 

14 

0.0001 

-0.0004 

15 

0.0856 

0.9950 

16 

-0.0104 

0.0157 

17 

0.0003 

0.0015 

23 

-0.0001 

0.0002 

24 

0.4163 

-0.0777 

25 

-0.9008 

0.0585 

26 

-0.0037 

0.0013 

27 

0.0011 

0.0008 

32 

0.0007 

0.0014 

33 

0.0023 

0.0052 

In  other  words,  the  IC  approach  has  reduced  initial  data  of  network  connection  records 
almost  to  five  times  from  33  characteristics  to  7  without  loosing  intrusion  detection  possibilities. 
Therefore,  the  approach  is  able  to  select  most  useful  traffic  features  to  distinguish  normal 
connection  from  attack.  The  description  of  these  features  for  the  data  of  the  computation 
experiments  is  given  in  Tab.  4. 


Table  6-4,  Most  useful  traffic  features  to  detect  attack 


feature  # 

feature  name 

description 

1 

Duration 

length  (number  of  seconds) 
of  the  connection 

15 

Count 

number  of  connections  to 
the  same  host  as  the  current 
connection  in  the  past  two 
seconds 

16 

srvcount 

number  of  connections  to 
the  same  service  as  the 
current  connection  in  the 
past  two  seconds 

24 

dst_host_ 

count 

number  of  connections  to 
the  same  destination  host  as 
the  current  connection  in 
the  past  two  seconds 

25 

dst_host_srv_ 

count 

number  of  connections  to 
the  same  destination  host 
and  the  same  service  as  the 
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26 


33 


dst_host_srv 
rerror  rate 


dsthost 
same_ 
srv  rate 


eurrent  connection  in  the 
past  two  seconds 
%  of  connections  to  the 
same  destination  host  and 
the  same  service  as  the 
current  connection  in  the 
past  two  seconds 
%  of  connections  that  have 
errors 


Conclusion 

As  shown  also  in  [1 1],  the  proposed  IC  approach  to  pattern  recognition  is  rather 
powerful,  robust  and  flexible.  It  is  able  to  give  rather  fine  classification  thus  focusing  attention 
on  the  most  dangerous  situations,  which  is  beyond  the  possibilities  of  the  traditional  statistics. 

We  would  also  like  to  highlight  three  features,  which  make  the  approach  promising: 

1 .  Appropriate  biological  prototype  of  pattern  recognition  by  the  immune  system  proteins 
honed  by  million-year  evolution; 

2.  Rigorous  mathematical  basis  of  the  IC; 

3.  Possibility  of  hardware  implementation  of  the  IC  in  a  special  immunochip  [1]. 

Such  an  implementation  could  significally  enhance  the  level  of  reliability,  flexibility  and 
computational  efficiency  of  AISs  as  well  as  their  principal  applications  (e.g.  to  information 
security,  according  to  [2],  [12])  to  a  new  level  of  maturity.  On  the  other  hand,  a  growing  need  to 
overcome  main  disadvantages  of  the  neural  networks’  models,  such  as  spurious  patterns,  small 
storing  capacities  comparatively  to  the  dimension  of  networks,  non-localized  errors,  etc.,  is  well 
recognized.  These  factors  prevent  the  proliferation  of  neurochips  in  those  fields  where  the  cost  of 
a  single  error  is  too  high  (e.g.  aviation,  medicine,  information  security).  It  could  be  said  that  the 
natural  immune  system  successfully  protects  organism  from  such  “errors”  and  invaders. 
Therefore,  the  authors  hope  that  the  IC  has  the  potential  for  serving  as  immune  systems  in  large- 
scale  control  and  computer  networks. 
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VII.  Mining  of  the  Data  Traffic  in  a  Computer  Network  and  Detection 

of  DoS  Attacks 


1.  Denial  of  Service  attacks  on  computer  networks 

The  vulnerability  of  modem  eomputer  networks  to  information  attaeks  is  of  great  eoneern 
to  any  organization  utilizing  eomputer  networks.  With  the  inerease  of  size,  intereonneetivity  and 
number  of  users,  networks  are  becoming  increasingly  vulnerable  to  newly  developed  direct  and 
remote  threats  and  attacks  compromising  the  integrity,  confidentiality  or  availability  of  a 
network,  and  consequently  information. 

Denial  of  Service  (DoS)  attacks  making  cmcial  network  resource  and/or  information 
unavailable,  are  among  the  most  common  attack  types.  DoS  attacks  are  both  effective  and  easy 
to  deploy.  DoS  attacks  threaten  all  systems  connected  to  the  Internet,  including  servers,  clients, 
routers,  and  firewalls.  In  a  DoS  attack  scenario,  the  attacker  sends  malicious  traffic  to  the  target 
with  the  aim  of  crashing,  crippling,  or  jamming  communication  between  the  target  system  and 
legitimate  users.  Current  computer  security  systems  provide  some  degree  of  protection  of 
information  attacks  and  enhance  the  decision-making  ability  of  the  network  administrator.  These 
functions  are  performed  by  a  number  of  independent  system  components  requiring  an  enormous 
amount  of  distributed  and  specialized  knowledge,  and  consequently,  computations.  As  a  rule, 
these  systems  represent  a  bottleneck  with  regard  to  throughput,  speed,  reliability  and  flexibility 
of  a  network 

Unlike  hardware  failures  of  network  components,  information  attacks  unravel  in  time, 
propagating  through  the  network  and  affecting  the  increasing  number  of  users  and  hosts.  A 
network  operator  could  detect  these  undesirable  developments  at  relatively  early  stages,  and 
undertake  important  decisions  alleviating  the  attack.  These  decisions  typically  reflect 
experience  and  intuition  of  human  operator  and  consequently  are  based  on  his/her  subjective 
interpretation  of  the  current  status  of  the  network.  The  dynamic  nature  of  information  attacks 
and  ability  to  monitor  status  of  a  network  facilitate  the  development  of  mathematically  justified, 
more  efficient  approaches  to  the  detection  of  attacks  providing  important  insight  to  human 
operators.  This  research  is  aimed  at  the  application  of  advanced  statistical  analysis  for  the 
objective  assessment  of  the  network  status  and  detection  of  unique  changes  in  the  status 
indicative  of  information  attacks.  Implementation  of  this  approach  can  result  in  an  information 
security  tool  facilitating  early  detection  of  the  DoS-type  attacks  and  providing  on-line  support  of 
operators’  decisions. 

2,  Quantitative  characterization  of  a  computer  network 

A  modern  computer  network  constitutes  a  complex  dynamic  system  containing  many 
relatively  independent,  highly  interconnected,  dynamic  components.  While  the  structural 
complexity  of  such  a  network  is  not  to  be  questioned,  its  dynamic  nature  is  not  that  obvious. 
Indeed,  electronics-based  network  hardware  has  negligible  dynamics.  However,  every  data 
processing,  digital  communication,  and  data  interpretation  procedure,  implemented  in  software, 
has  finite  execution  time.  Within  the  network,  operation  of  every  logical  unit  can  be 
characterized  by  the  data  traffic  flow  through  this  unit  that  comprises  data  packets  of  various 
sizes.  The  composition  of  data  flow  could  be  quantified  by  percentages  of  large,  medium  and 
small  size  packets.  The  packets  may  be  accumulated  in  queues  and  are  processed  in  some  order 
that  results  in  the  effect  of  “inertia”  responsible  for  the  network  dynamics.  Unlike  classical  view 
of  system  dynamics,  dynamics  of  a  computer  network  is  both  system-  and  input-dependent. 
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System  dependence  of  network  dynamics  is  related  to  the  throughput  of  particular  modules  of 
the  network.  Input  dependence  manifests  itself  by  time-varying  number  of  packets  to  be 
processed  and  their  composition,  and  specific  computational  tasks. 

It  is  understood  that  while  the  network  configuration  and  throughput  of  its  components 
are  not  affected  by  information  attacks,  they  do  not  carry  any  useful  information  for  our  purpose. 
However,  information  attacks  cause  gradual  changes  in  the  volume  and  composition  of 
particular  data  flows  within  the  network,  ultimately  leading  to  a  complete  denial  of  service. 
While  periodic  changes  of  the  flows  volumes  and  compositions  could  be  observed  under  normal 
operation  of  the  network  on  the  24-hour  and  7-day  scales,  it  is  expected  that  changes  in  the  flow 
volumes  and  compositions  caused  by  information  attacks  follow  very  different  statistical 
patterns.  This  creates  the  opportunity  for  differentiating  “normal”  fluctuations  from  those 
caused  by  attacks.  These  realities  have  led  the  authors  to  the  following  conclusion:  dynamic 
properties  of  a  computer  network,  representing  its  immediate  status,  could  be  best  described  in  a 
specially  defined  state  space  that  reflects  not  the  configuration  of  the  network  hardware  or 
software,  but  the  volumes  and  compositions  of  data  flows  through  particular  modules  of  the 
network,  and  their  rates  of  change. 

Assume  that  a  computer  network  consists  of  M  interrelated  processing  modules,  and  the 
m-th  module  has  the  data  flow  characterized  by 

-  volume,  i.e.  number  of  bytes  per  second,  -  z^, 

-  composition  of  the  data  flow,  i.e.  the  percentage  of  large,  medium  and  small  packets  - 
Pm,  rm,  Sm,  such  that Pm+f'm+Sm=^,  and 

-  time  derivatives  (rates  of  change)  of  these  variables  -  z’m,p’m,  rf,  sf  ,  where 
m=l,2,...,M 

For  convenience,  all  “state  variables”  of  the  computer  network  could  be  assembled  under  the 
state  vector 


2f  \_^m  ,  Pm  ,  fm  ,  ^  1,2,...  ,A/]  (2.1) 

It  could  be  seen  that  the  attempt  to  quantify  the  status  of  a  computer  network  leads  to  the 
definition  of  the  state  space  of  high  dimension.  It  is  also  understood  that  X  is  a  random  vector 
and  its  realization  X(k)  represents  the  an  immediate  status  of  the  network  at  the  discrete  time 
moment  A=1 ,2,3 ....  The  availability  of  a  network  monitoring  system  allows  us  to  accumulate  a 
database,  {X(k)  ,  1,2,3 representing  the  network  status  (operation)  over  some  period  of 

time.  Although  the  established  state  space  and  database  may  not  be  sufficient  for  the  formulation 
of  the  network  control  problems,  it  can  provide  sufficient  information  for  the  detection  of 
specific  changes  in  the  network  status  caused  by  information  attacks.  Fortunately,  attack 
detection/recognition  is  a  much  simpler  task  than  control  that  may  concentrate  on  the  analysis  of 
some  “bottlenecks”  of  the  network.  Application  of  statistical  analyses  facilitates  the  detection  of 
the  “informative”  components  of  the  state  vector  thus  resulting  in  the  significant  simplification 
of  the  attack  detection/prediction  problem,  and  consequently,  definition  of  simplistic  recognition 
rules.  It  could  be  achieved  if,  and  only  if,  the  available  database  contains  both  the  normal 
operational  data,  and  the  information  accumulated  during  attack  of  the  known  type,  i.e.  has  the 
format  {X(k),  Q(k),  A=l,2,3...,  N},  where  Q(k)  is  a  flag  indicating  the  presence  of  the  attack  at 
the  discrete  time  moment  k. 


41 


Recall  that  the  particular  realizations  of  the  database  are  random  vectors.  Application  of  a 
statistical  approach  to  the  detection/prediction  problem  results  in  “averaging  out”  the  effects  of 
such  unimportant  factors  and  fluctuations  of  variables  X  during  normal  operation  of  the  network, 
and  detecting  abnormal  trends  in  the  network  status  data,  that  could  be  interpreted  as  an  incipient 
information  attack.  The  following  mathematical  techniques  are  consistent  with  the  statistical 
nature  of  the  attack  detection/prediction  problem. 

3,  Cluster  Analysis  and  Genetic  Optimization 

Cluster  analysis  is  a  group  of  statistical  techniques  facilitating  the  detection  of 
informative  components  of  what  could  be  a  very  extensive  database.  It  is  clear  that  this  task 
cannot  be  accomplished  without  relevance  to  some  decision-making  or  a  classification  problem. 
We  will  visualize  the  database  as  a  combination  of  realizations  of  real  status  variables,  X ,  and  a 
binary  class  indicator,  Q : 


{x(k),g(k)}  =  {x^{k),x^{k),Xj^{k),...,x^{k),Q{k)]  (3.1) 

where  k  =  1,2,3,...,  A  is  the  realization  index,  and  Q{k)  can  have  only  two  alternative  values, 
“a”  or  “b”.  Then  the  classification  rule  is  established  on  the  basis  of  some  function  defined  in 
the  X  space,  F[X] ,  such  that,  generally,  F[X]  <  0  for  the  majority  of  realizations  when 
Q{k)  ="a"  and  F[X]  ^  0  for  the  majority  of  realizations  when  Q{k)  ="b" ,  or  in  terms  of 
conditional  probabilities, 

p{F[k]  <  0  /  Q[k]  =’’a"}  ^  P{F[k]  <  0  /  Q[k]  ="b"}  (3.2) 

where  P{AI  B}  denotes  the  probability  of  event  A  subject  to  the  occurrence  of  event  B. 

It  is  also  understood  that  the  classification  problem  does  not  have  a  unique  solution,  and  there  is 
a  wide  class  of  functions  F[X]  that  could  satisfy  condition  (3.2)  to  a  greater  or  a  lesser  extent. 

A  simplification  of  the  classification  rule  requires  reducing  the  number  of  the  components  of 
vector  X  to  the  necessary  minimum  by  choosing  the  smallest  group  of  informative  components 
that,  in  combination,  allow  for  achieving  reliable  classification. 

Selection  of  the  informative  components  implies  that  contributions  of  particular  groups  of 
components  of  vector  X  to  the  classification  are  to  be  evaluated,  and  the  most  contributive 
group(s)  be  chosen  for  the  definition  of  the  classification  rule.  One  can  realize  that  in  order  to 
achieve  the  required  discrimination  power  of  the  selection  procedure,  the  groups  must  be  small, 
and  in  order  to  consider  combined  effects  of  several  variables  must  include  at  least  two  variables 
[1,2].  Consider  all  possible  combinations  of  two  variables  taken  out  of  n,  where  n  is  the 
dimension  of  vector  X .  It  could  be  said  now  that  the  classification  problem,  originally  defined 
in  the  space  X ,  now  will  be  considered  on  particular  two-dimensional  subspaces, 

X;  P)  Xj ,  where  i,j  =  \,2,...,n,  and  it  j . 

Assume  that  the  entire  array  of  points,  marked  as  “a”  or  “b”,  defined  in  the  n- 
dimensional  space  X  by  the  database  (3.1),  is  projected  on  particular  two-dimensional 
subspaces  (planes).  Let  us  visualize  possible  distributions  of  these  projections.  Figure  1  below 
illustrates  a  subspace  that  has  no  potential  for  the  development  of  a  classification  rule  due  to  the 
fact  that  points  marked  as  “a”  and  “b”  are  distributed  quite  uniformly  in  this  plane.  The 
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subspace  of  Figure  2  indieates  a  eertain  degree  of  separation  between  points  “a”  and  “b”  and, 
therefore,  should  be  viewed  as  informative.  Figures  4,  5,  6  also  illustrate  possible  eases  of 
separation  pattern  in  informative  subspaees. 

As  shown  in  Figures  4,  5,  6,  a  eorrelation  ellipse,  properly  defined  in  the  partieular 
informative  subspaee,  presents  an  ideal  ehoiee  of  the  separating  funetion.  Figure  3  indieates  that 
size,  shape,  position,  and  orientation  of  sueh  an  ellipse  are  defined  by  five  parameters: 

eoordinates  of  two  foeal  points,  [ctj  ,y5i],  [ctj  .A]  the  eonstant  S ,  sueh  that  for  any  points  of 
the  ellipse,  x,  ,  the  following  equation  holds. 


J(x.  -  +  1 

Similarly,  equations 

(xj  -  a) 

\x.-a^f  +  \ 

(xj  -  a) 

l'  =  ^  (3.3) 

-J(x,  -  «i)%  1 

k'- a) 

2 

+  ^| 

\x,-a2f  +  \ 

k'- a) 

l"  <  ^  (3.3a) 

y(x.  -  +  [xj  -  +  J(x.  -  «2)"  +  [^j  -  Pi)  ^  ^  (3-3b) 

represent  any  point  x^,Xj  within  and  outside  the  ellipse. 

Consider  the  problem  of  the  optimal  definition  of  parameters  ,^2  5/^2  ^ 

eorrelation  ellipse  for  a  partieular  separation  pattern  in  the  plane  eomprising  variables  Xi  and  xj. 
Aeeording  to  eondition  (3.2),  this  problem  eould  be  interpreted  as  the  minimization  of  a  loss 
funetion  that  ineludes  a  “penalty”  for  any  point  “a”  outside  the  ellipse, 

R\x;{k),x;{k)], 

and  a  “penalty”  for  any  point  “b”  within  the  ellipse, 

R^k)^  i?'’[xf(/t),x/(/t)],  i.e. 

(3-4) 

k=l  k=l 

where  N'^  and  are  number  of  points  “a”  and  “b”  in  the  database.  Intuitively,  these  penalties 
are  defined  as  follows: 


R^ik) 


0,  if  point  yxj‘^  {k),Xj^  (A:)J  satisfies  eondition  (3.3a) 

- - - if  point  Xj'^  {k),Xj‘^  (k)  satisfies  eondition  (3.3b) 

[xi^{k)- JUi^]  +[xf{k)-Rf\ 
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aaaaababbbabbbbbbb^''^ 


Figure  7-5 
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Figure  7-2 
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Figure  7-4 
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Figure  7-6 


Space  Planes  for  Event  Probability 


and 


R\k)^ 


0,  if  point  \xi^  {k),x  {k)  \  satisfies  condition  (3.3b) 


ifpoint  (A:), (A:) I  satisfies  condition  (3.3a) 


[xi^  {k)  -  f  +  Xj^  {k)  - 


where  land 


are  coordinates  of  the  geometric  centers  of  points  “a”  and 
points  “b”  distributed  in  the  plain  X;  P)xy  .  Such  a  choice  of  penalty  functions  places  highest 


emphasis  on  the  points  in  the  immediate  vicinity  of  geometric  centers. 

It  could  be  seen  that  the  loss  function  (3.4)  is  not  only  nonlinear  but  also  discontinuous 

with  respect  to  the  unknown  parameters  of  the  separation  ellipse  ,  «2  >  ’  ^]  •  Therefore 

our  attempt  to  obtain  the  numerical  values  of  these  parameters  by  minimizing  this  loss  function 
leads  to  a  highly  nonlinear  multivariable  optimization  problem  that  does  not  have  an  analytical 
solution.  Moreover,  finding  its  global  solution  numerically  would  also  be  a  very  difficult  task. 
Such  an  optimization  problem  presents  an  ideal  application  for  a  genetic  optimization  procedure 
that  combines  the  advantages  of  both  direct  and  random  search  [3,  4].  Application  of  a  genetic 
algorithm  results  in  the  definition  of  an  ellipse  that  indeed  contains  the  largest  possible  number 

of  points  “a”,  N‘^‘^ ,  and  the  smallest  possible  number  of  points  “b”,  .  Then  the  “goodness” 

of  the  ellipse-based  separating  rule  could  be  characterized  by  the  following  two  quantities: 

j^aa 

Pj„{a  I  a]  ~ - andPjAa  I  b]  ~  — j-  (3.5) 

representing  the  probabilities  of  a  point  “a”  and  a  point  “b”  to  be  found  within  the  ellipse,  see 
Figure  4. 

Should  we  assume  that  the  obtained  classification  rule,  reflecting  some  compromise 
solution,  could  not  be  further  improved?  In  our  experience  an  alternative  classification  rule 

could  be  obtained  by  establishing  an  ellipse  containing  as  many  points  “b”,  ,  and  as  few 

points  “a”,  ,  as  possible.  This  task  is  accomplished  by  the  appropriate  modification  of  the 

penalty  functions.  The  resultant  separating  rule  is  characterized  by: 


(3.6) 


representing  the  probabilities  of  a  point  “a”  and  a  point  “b”  to  be  found  outside  the  ellipse,  see 
Figure  5.  The  final  selection  of  a  separating  rule  should  implies  the  comparison  of  ratios 


Pin 


Pin{ala]  ^  Poj,t{a/ a} 

Pja/b]  6) 


(3.7) 
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obtained  for  the  “inside  the  ellipse”  and  “outside  the  ellipse”  rules,  and  choosing  the  rule  that 
results  in  the  largest  value. 

While  the  application  of  the  genetic  optimization  results  in  the  optimal  characteristics  of 
both  ellipses,  the  final  choice  of  ratio  (3.7)  provides  an  explicit  informativity  measure  of  the 
subspace  where  the  ellipses  are  established  thus  facilitating  the  selection  of  the  most 

informative  subspaces.  Unfortunately,  genetic  algorithms  emulating  evolutional  developments 
in  nature  are  too  slow  for  being  applied  to  the  entire  multitude  of  possible  combination  of  two 
components  out  of  n,  especially  if  n>20.  Therefore,  this  task  should  be  performed  on  the  basis  of 
a  less  rigorous  informativity  measure,  the  weighted  average  distance  between  points  “a”  and  “b” 
in  the  particular  subspaces. 


where 


1 


N  N  j  k=lm=l 


Z  Z  {k)  -  Xi^  {m)\  +  xf{k)-Xj^{m) 


<7i  are  a]  are  standard  deviations  of  variables  Xi  and  xj. 


(3.8) 


Finally,  the  proposed  procedure  implies 

1 .  Definition  of  all  two-dimensional  subspaces  of  the  space  X 

2.  Computation  of  the  informativity  measure  (3.8)  for  every  subspace 

3.  Selection  of  a  number  M  of  the  most  informative  subspaces 

4.  Selecting  one  of  the  M  informative  subspaces 

5.  Establishing  the  “inside  the  ellipse”  classification  rule  by  the  application  of  a  genetic 
optimization  procedure,  and  computation  of  the  Pi„  value  for  this  subspace 

6.  Establishing  the  “outside  the  ellipse”  classification  rule  by  the  application  of  a  genetic 
optimization  procedure,  and  computation  of  the  Pout  value  for  this  subspace 

7.  Selection  of  the  classification  rule  that  has  the  largest  p  value  for  this  subspace,  and 
return  to  Step  4,  until  the  list  of  informative  subspaces  will  be  exhausted. 

Proliferation  of  genetic  optimization  algorithms,  possessing  the  advantages  of  known 
random  and  direct  search  optimization  procedures,  combined  with  the  availability  of  high 
performance  computers  alleviates  major  obstacles  in  the  way  of  the  solution  of  multivariable 
nonlinear  optimization  problems.  The  following  figure  illustrates  application  of  a  genetic 
algorithm  to  the  solution  of  a  classification  problem  mentioned  above. 

The  algorithm  proceeds  as  follows.  Combinations  of  an  ellipse  parameters  represented  by 

vector  5-dimensional  space  S.  Since  those  parameters  have  bounded 

values,  consistent  with  the  initial  variables  X  of  the  classification  problem,  an  acceptable 
solution  will  be  within  a  subspace,  whose  boundaries  are  defined  by  the  following  inequality 
Pi<P<P2.  The  algorithm  forms  an  initial  grid  within  this  subspace  by  generating  K  uniformly 
distributed  points  Pi,  (i=l,2,  ...,K)  ,  that  represent  possible  solutions  of  the  optimization  problem. 

Each  point  Pi  of  the  initial  grid  represents  an  ellipse  that  is  being  assessed  for  the 
classification  rule  by  computing  the  corresponding  loss  function  E(Pj)  defined  in  (3.4),  where 

Pi  =(aii,  Pii,  a2i,  P2i,  Si). 
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After  the  loss  funetion  L(Pi)  has  been  caleulated  at  eaeh  point  of  the  initial  grid,  the  first 
generation  of  ellipses  is  formed  by  seleeting  Ng<K  points  Pj,  (j=l,2,  ...,Ng)  with  the  smallest 
values  oiL(P). 

The  process  of  parenting  involves  producing  No  offsprings  per  each  of  the  (Ng-1)  *Ng/2 
possible  pairs  of  points  from  the  initial  generation.  Each  offspring  is  a  new  point  in  the  5- 
dimensional  space  located  on  the  line  connecting  its  parents  Pi  and  Pj  and  selected  in  a 
random  fashion.  At  the  end  of  this  process  the  total  population  becomes  No*(Ng-l)*N^2+  Ng 
points. 

Parenting  is  followed  by  the  mutation  stage.  Each  point  from  the  expanded  population 
produces  Nm  mutations  (points  generated  randomly  in  the  immediate  area).  Thus,  the  total 
population  count  grows  to 


Eigure  7-7.  Genetic  optimization  for  optimal  ellipse  definition 


(Nm+l)(No*(Ng-l)*Ng/2+  Ng)  points.  A  successive  generation  is  formed  by  computing  the  loss 
function  for  all  the  points  and  selecting  Ng  points  with  the  smallest  values  of  the  loss  function 
L(P). 

The  processes  of  parenting,  mutation  and  forming  a  successive  generation  are  repeated 
until  a  termination  condition  is  satisfied.  The  optimization  routine  produces  the  output  in  the 
form  of  a  vector 


F^P^=(arT, 

which  represents  an  ellipse  resulting  in  the  best  separation  rule  attainable  for  the  particular 
combination  of  two  variables  of  the  initial  classification  problem. 
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4,  Bayesian  Decision  Making 

Statistical  analysis  of  the  network  data,  representing  normal  operation  of  the  network  and 
its  operation  under  known  DoS  attaeks,  results  in  the  extraetion  and  formalized  representation  of 
knowledge  of  various  effeets  of  the  attack  on  the  network.  This  information  is  attaek- ,  host-  and 
network-speeifie,  and  ean  be  used  for  early  attack  detection,  and  potentially,  for  the  type  of 
attaek  reeognition.  The  following  mathematieal  framework  is  suggested  for  the  attaek  deteetion 
seheme. 

Assume  that  the  preliminary  eluster  analysis  utilizing  the  informativity  eriterion  (3.8)  has 
resulted  in  the  set  of  M  two-dimensional  informative  subspaces.  Then  the  set  of  M  respective, 
either  “inside  the  ellipse”  or  “outside  the  ellipse”  elassifieation  rules,  Ri[X(k)],  i  =1,2, 3, ..M,  was 
developed  by  the  applieation  of  genetie  optimization.  One  ean  realize  that  eaeh  rule  utilizes  only 
those  two  eomponents  of  veetorXthat  constitute  the  i-th  informative  subspaee.  For  simplicity, 
assume  that  eaeh  elassifieation  rule  is  designed  to  return  a  negative  value  for  the  majority  of 
points  representing  an  attaek  situation  (and  marked  by  an  “a”).  It  is  expeeted  that  every 
vector  A",  representing  an  attaek,  and  every  veetor  A^,  representing  a  normal  network  operation, 
would  satisfy  only  some  elassifieation  rules  but  not  all  of  them.  Consider  the  following  random 
events: 


Ej:  Ri[X(k)J<0  nR2[X(k)]<0  nRs[X(k)]^  nR4[X(k)]^  n  ...  RM[X(k)]^ 
E2:  Ri[X(k)]>0  nR2[X(k)]^  nR3[X(k)]<0  nR4[X(k)]<0  n  ...  RM[X(k)]<0 
Es:  Ri[X(k)]<0  nR2[X(k)]>0  nR3[X(k)]^  nR4[X(k)]<0  n  ...  RM[X(k)]<0 
E4:  Ri[X(k)J>0  nR2[X(k)]>0  nR3[X(k)]^  nR4[X(k)]<0  n  ...  RM[X(k)]<0 
Es:  Ri[X(k)]<0  nR2[X(k)]^  nR3[X(k)]>0  nR4[X(k)]<0  n  ...  RM[X(k)]<0 


El:  Rj[X(k)J>0  n R2[X(k)J>0  n R3[X(k)]>0  n  R4[X(k)]>0  n  ...  RM[X(k)]>0  (4.1) 

representing  speeifie  eombinations  of  olassifieation  rules  satisfied  by  every  veetor  First, 
note  that  L=2^.  Probabilities  of  these  events,  evaluated  separately  for  veetors  A“  and  A*, 
eonstitute  the  following  set  of  eonditional  probabilities  instrumental  for  the  deeision  making 
proeedure: 


p{Ei  la]  and  p{Ei  lb],  i  =  1,2,..., L  (4.2) 

These  off-line  tasks  eould  be  viewed  as  the  development  of  a  eluster  model  of  the  network  and 
eonstitute  the  “learning”  proeess. 

Now  eonsider  the  utilization  of  the  eluster  model  for  on-line  attaek  deteetion.  Note  that  at 
this  point,  we  will  eonsider  any  abnormal  state  of  the  network  as  a  manifestation  of  the  incipient 
attaek.  Assume  that  the  probability  of  attaek  on  the  network  has  some  initial  value,  established 
according  to  the  existing  statistics,  ^[0] ,  and  therefore  the  probability  of  normal  operation, 

2[0]-  l-r[0]. 

Assume  that  veetor  A( A:)  =  [xi(k),X2(A:),X3(k),...,x„(k)]  represents  the  most  reeent  state 
of  the  network.  Numerieal  values  of  eomponents  of  this  veetor,  applied  to  the  elassifieation  rules 
Ri[XJ,  i=\,2,..,M,  results  in  a  particular  combination  of  numerical  values 
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R,[X(k)],  R2[X(k)],  R3[X(k)J,  RMfX(k)J 


that  could  be  identified  as  the  occurrenee  of  one  of  the  events  (4.1),  for  example,  Ej,  Now  the 
availability  of  eonditional  probabilities  (4.2)  facilitates  the  application  of  Bayesian  approaeh  for 
the  re-evaluation  of  the  probability  of  the  attack  (i.e.  the  probability  of  the  point  to  be 

marked  by  an  “a”)  subject  to  the  oeeurrenee  of  the  event  Ej ,  p|  a  /  | .  One  ean  realize  that 

unconditional  probabilities,  P{ a}  +P{b}  =  1,  therefore 

p[  a!  Ej]^  p[  Ej }  =  p[  Ej  /  a}  P{  a}  and  p[  Ej }  =  p[  Ej  /  a}  P{a}  +  p[  Ej  /  h}  P{b}  , 


and  the  required  probability  can  be  expressed  as. 


F 

{Ejla\ 

P{a} 

p\ 

\Ejla] 

P{a}+  p[Ej  /h}p{h} 

M-p[Ejla\ 

r[0]-  p[e j  I  +  X[0]-  p[e j  I 


(4.3) 


Computation  (4.3)  results  in  an  updated  value  of  the  probability  of  attack,  Pja  /  |  that  could 

be  eompared  against  some  arbitrary  defined  threshold  value.  A  warning  message  indicating  an 
incipient  attaek  should  be  issued  if  the  probability  of  attack  exceeds  the  threshold.  This 
eompletes  one  cycle  of  the  proposed  procedure.  At  the  next  eyele,  the  “prior”  probabilities  of 
attack  and  the  normal  operation  are  defined  as, 

y[k]  =  pja  /  £'^-|  and  yl[k]  =  1- pja  /  £'^-| 
and  the  new  value  of  the  network  state  vector, 

A(k  +  l)  =  [xi(k  +  l),X2(k  +  l),X3(k  +  l),...,x„(k  +  l)] 
is  to  be  analyzed  with  the  consequent  computation  of  probabilities  y[k+  l]  and  X[k+  l] .  This 
proeedure,  intended  for  continuous  real-time  applieation,  is  eapable  of  providing  a  timely  and 
objective  information  to  the  network  operator  providing  mathematically  justified  support  of 
his/her  deeisions. 

5,  Definition  of  the  “Normal”  Status  of  a  Computer  Network 

The  definition  of  the  “normal”  status  of  a  computer  network  depends  on  the  particular 
configuration  and  patterns  of  usage  of  the  specific  network  to  be  proteeted.  For  a  given  network, 
the  availability  of  a  network  monitoring  system  allows  us  to  aeeumulate  a  database,  representing 
the  network  status  observed  during  periods  of  both  “normal”  operation  as  well  as  specifie  attack 
scenarios.  This  database  should  provide  suffieient  information  for  the  deteetion  of  speeific 
ehanges  in  the  network  status  caused  by  information  attacks.  Recall  that  each  database  reeord 
eontains  data  representing  the  network  status  at  a  discrete  time  k  and  has  the  format  {X(k),  Q(k)}, 
where  X(k)  is  the  state  veetor  representing  the  status  of  the  network  at  the  discrete  time  k  and 
Q(k)  is  a  flag  indicating  the  presence  or  absenee  of  an  attack  at  time  k. 

The  dynamic  properties  of  a  computer  network  that  represent  its  status  are  deseribed  by 
the  properties  of  the  network  traffic  flows  through  its  particular  modules.  These  properties 
include  the  volumes,  compositions  and  rates  of  change  of  the  traffic  flows.  Although  these 
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parameters  fluctuate  during  normal  periods  of  network  operation,  it  is  possible  to  distinguish  a 
particular  information  attack  based  upon  the  unique  effect  it  has  on  these  parameters. 

The  experimental  network  chosen  for  this  study  is  representative  of  many  intranet 
configurations  currently  in  use.  The  specific  configuration  of  the  experimental  network  is  shown 
in  Figure  8.  It  consists  of  a  small  local  area  network  (LAN)  with  a  connection  to  the  Internet 
provided  through  a  router,  which  lies  outside  of  the  administrative  domain  of  the  experimental 
setup.  The  connection  to  the  router  thus  represents  the  “gateway  connection”  through  which  all 
external  traffic  enters  the  experimental  network.  This  figure  can  be  generalized  to  represent 
nearly  any  computer  network.  We  have  placed  the  network  monitoring  station  at  the  gateway 
connection  of  the  network  to  be  able  to  easily  monitor  all  traffic  flows  into  the  network. 


LAN  CONNECTIONS  TO 
SERVERSAVORKSTATIONS 

Figure  7-8.  Experimental  network  configuration 

Our  experimental  setup  consists  of  a  100  Mbps  switched  Ethernet  network 
interconnecting  several  SUN  UltraSparc  computers,  some  of  which  are  client  workstations  while 
others  serve  as  Web  and  file  servers.  The  network  monitoring  systems  consists  of  a  SUN 
UltraSparc  workstation  with  two  network  interface  cards  placed  inline  at  the  network  gateway 
connection.  This  system  monitors  network  packets  both  entering  and  leaving  the  network. 

Since  the  experimental  setup  uses  TCP/IP  protocols,  the  state  space  of  the  network  has  been 
defined  in  terms  specific  to  these  protocols.  State  variables  represent  measured  quantities  of  the 
aggregate  network  traffic,  using  a  variety  of  decompositions.  For  each  measured  quantity,  its 
time  derivative  is  also  used  as  a  state  variable. 

Information  attacks  usually  attack  a  specific  protocol.  For  example,  TCP  SYN  attacks 
target  the  TCP  protocol,  while  the  Ping  Flood  attack  targets  IP  control  protocol.  The  aggregate 
network  traffic  is  decomposed  into  streams  identified  by  network  protocol.  The  fractions  of  total 
packets  utilizing  the  TCP  and  UDP  protocols  are  measured. 

The  aggregate  network  traffic  is  then  characterized  by  its  general  flow  characteristics. 
The  total  volume  of  network  traffic  is  measured,  in  bytes  per  second  (normalized  to  the 
maximum  rate  allowed  by  the  network).  We  also  measure  traffic  rate  in  packets  per  second, 
(normalized  to  the  maximum  packet  rate  for  the  network).  The  average  packet  length  may 
provide  an  indication  of  irregular  packet  flows  that  could  be  a  sign  that  an  attack  is  in  progress. 
The  traffic  stream  is  decomposed  into  percentages  of  large,  medium,  and  small  packets.  Without 
loss  of  generality,  we  have  considered  100  bytes  or  less  to  be  a  small  packet,  and  500  bytes  or 
greater  to  be  a  large  packet;  all  others  are  considered  medium  packets. 
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Table  7-1  Data  Traffic  Variables  Subjected  to  Statistical  Analysis 


Variable 

Description 

Comment 

Xl 

fraction  of  packets  utilizing  TCP  protocol 

relative  units 

X2 

fraction  of  packets  utilizing  TCP  protocol,  rate  of  change 

relative  units 

X3 

fraction  of  packets  utilizing  UDP  protocol 

relative  units 

X4 

fraction  of  packets  utilizing  UDP  protocol,  rate  of  change 

relative  units 

Xs 

fraction  of  large  (>500  b3Tes)  packets  in  the  flow 

relative  units 

X6 

fraction  of  large  (>500  bytes)  packets  in  the  flow,  rate  of  change 

relative  units 

Xv 

fraction  of  medium  packets  in  the  flow 

relative  units 

Xg 

fraction  of  medium  packets  in  the  flow,  rate  of  change 

relative  units 

X9 

fraction  of  small  (<100  bytes)  packets  in  the  flow 

relative  units 

XlO 

fraction  of  small  (<100  bytes)  packets  in  the  flow,  rate  of  change 

relative  units 

Xll 

total  volume  of  traffic,  normalized 

packets  per  sec 

Xl2 

total  volume  of  traffic,  normalized,  rate  of  change 

relative  units 

Xl3 

fraction  of  TCP  packets  that  are  control  type  packets 

relative  units 

Xl4 

fraction  of  TCP  packets  that  are  control  packets,  rate  of  change 

relative  units 

Xl5 

fraction  of  IP  packets  that  are  control  type  packets 

relative  units 

Xl6 

fraction  of  IP  packets  that  are  control  type  packets,  rate  of  change 

relative  units 

Xi7 

fraction  of  total  packets  that  are  control  type  packets 

relative  units 

Xl8 

fraction  of  total  packets  that  are  control  packets,  rate  of  change 

relative  units 

Xl9 

traffic  volume,  normalized 

bytes  per  second 

X20 

traffic  volume, ,  rate  of  change 

relative  units 

X21 

fraction  of  IP  packets  that  are  fragments 

relative  units 

X22 

fraction  of  IP  packets  that  are  fragments 

relative  units 

Q  =  ”A” 

indication  of  a  known  attack 

Q  =  “B” 

normal  operation  of  the  network 

When  network  messages  are  too  large  for  network  packets,  the  message  is  fragmented 
and  transmitted  into  several  packets.  Some  attacks,  such  as  Ping  Flood,  may  be  characterized  by 
a  large  number  of  fragmented  messages.  The  ratio  of  fragmented  traffic  to  total  traffic  is 
measured,  as  well  as  the  rate  of  change  of  the  ratio. 

Most  network  protocols  identify  both  data  packets,  which  carry  user  application  data,  and 
control  type  packets,  which  are  used  to  implement  the  protocol  itself  Many  attack  scenarios 
exploit  holes  in  the  protocol  architecture  or  bugs  in  a  specific  implementation  of  a  protocol. 

Thus,  the  percentage  of  packets  that  are  control  type  packets  are  measured  for  each  protocol.  In 
the  TCP  protocol,  for  example,  we  classify  a  packet  as  a  control  packet  if  the  SYN,  FIN,  or 
RESET  flags  are  set.  We  also  measure  the  fraction  of  total  traffic  that  represents  control  type 
packets.  The  above  table  summarizes  designation  of  particular  variables  -  components  of  the 
database. 


6,  Experimental  results  and  their  interpretation 

To  evaluate  the  proposed  approach  to  attack  detection  in  computer  networks,  we  have 
chosen  the  two  most  common  types  of  denial  of  service  attacks,  TCP  SYN  attack  and  Ping 
Elood  attack,  that  were  deployed  in  an  experimental  computer  network.  A  software 
implementation  of  each  attack  was  written  in  C++  and  launched  from  computers  outside  of  the 
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experimental  network.  Attack  packets  were  tagged  (utilizing  the  unused  type  of  service  field  in 
the  IP  packet  header)  for  classification  by  the  network  monitoring  station. 

For  each  attack  type,  a  database  of  network  status  vectors  was  collected  over  a  24  hour 
period  at  1  second  intervals.  During  this  24  hour  period,  two  attacks  were  launched  at  arbitrary 
times.  Thus,  the  database  for  each  attack  contained  vectors  representing  both  the  normal  status 
of  the  network  and  the  status  of  the  network  during  an  attack. 

TCP  SYN  Attack 

The  results  of  cluster  analysis  of  the  “attack/normal”  data  traffic  are  shown  in  Figs.  9.1- 
9.3.  The  informative  components  of  the  network  status  chosen  by  the  cluster  analysis  procedure 
are  fraction  of  small  packets  (xg),  fraction  of  control  packets  (xn),  fraction  of  TCP  packets  (xi), 
and  fraction  of  UDP  packets  (X3).  These  were  combined  into  the  informative  subspaces  (x9,xi7), 
(x3,xi7),  and  (xi,xi7).  TCP  SYN  attacks  are  characterized  by  a  large  number  of  TCP  control 
packets  (SYN  packets)  flooding  the  target  network.  These  packets  are  small  (generally  40 
bytes).  Each  figure  shows  the  ellipse  chosen  by  the  cluster  analysis  procedure  plotted  against  the 
data.  In  all  cases,  a  point  inside  the  ellipse  is  classified  as  an  attack  point. 

From  Figure  9.1,  it  is  clear  that  during  a  TCP  SYN  attack  there  is  both  a  high  percentage 
of  small  packets  and  a  high  percentage  of  control  packets,  consistent  with  the  nature  of  the 
attack.  Since  nearly  all  control  packets  are  small,  the  fraction  of  control  packets  rarely  exceeds 
the  fraction  of  small  packets,  explaining  the  near  absence  of  points  above  the  line  xi7=X9.  Attack 
points  represent  a  high  fraction  of  both  control  and  small  packets;  as  these  fractions  approach  the 
maximum  they  are  nearly  equal  and  appear  closely  spaced  around  the  line  xi7=X9.  There  are  a 
few  non-attack  points  that  exhibit  both  a  high  fraction  of  control  packets  and  a  high-fraction  of 
small  packets.  However,  unlike  a  TCP  SYN  attack  scenario,  these  points  represent  periods  when 
the  network  was  relatively  quiet  and  thus  generally  will  not  be  classified  as  attack  points  in  the 
other  subspaces.  This  illustrates  the  increased  classification  accuracy  gained  by  considering 
several  informative  subspaces. 

Figures  9.2  and  9.3  show  the  second  and  third  most  informative  subspaces  selected  by  the 
cluster  analysis,  respectively.  Since  TCP  SYN  attack  is  characterized  by  a  high  percentage  of 
TCP  control  packets,  it  is  counterintuitive  that  the  subspace  (x3,xi7),  representing  the  fraction  of 
control  packets  vs.  the  fraction  of  UDP  packets,  is  considered  “more  informative”  than  subspace 
(xi,xi7),  representing  the  fraction  of  control  packets  vs.  the  fraction  of  TCP  packets.  One 
possible  explanation  is  given  as  follows.  The  subspace  in  Figure  9.3  indicates  that  during  an 
attack  there  is  both  a  high  percentage  of  TCP  packets  and  a  high  percentage  of  control  packets  in 
the  network.  This  is  a  situation  that  can  also  occur  normally,  however,  especially  when  the 
network  is  experiencing  a  very  light  load.  Figure  9.2  illustrates  that  during  an  attack,  the  flood  of 
TCP  SYN  packets  causes  a  decrease  in  the  flow  of  UDP  packets  due  to  the  high  rate  of  control 
packets  consuming  network  bandwidth.  This  combination,  however,  may  not  occur  as 
frequently  during  normal  operation,  even  when  the  network  is  experiencing  a  light  load.  Thus, 
cluster  analysis  has  the  ability  to  infer  subtle  relationships  between  network  status  variables 
which  may  not  be  obvious  and  which  may  indeed  be  counterintuitive. 

Figure  10  illustrates  the  application  of  the  results  of  the  cluster  analysis  to  the  on-line 
detection  of  network  attacks.  Here,  the  established  classification  rules  are  used  to  compute  a 
sequence  of  events  (4.1)  based  on  the  varying  status  of  the  network.  These  events  are  used  to 
update  the  probability  of  attack.  In  the  figure,  time  is  shown  in  seconds  and  the  reference  time 
was  arbitrarily  chosen  just  prior  to  the  start  of  the  attack.  The  figure  presents  both  the  rate  of 
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Figure  7-9.2 

Figure  7-9.1  thru  7-9.2  Attack/Normal  Data  Traffic  Cluster  Analysis  Results 


Time  (s) 

Figure  7-10.  Attack  Rate  and  Attack  Probability 


53 


attack  packets  entering  the  network,  normalized  to  the  maximum  rate  observed,  and  the 
probability  of  attaek  iteratively  ealeulated  as  per  (4.3).  This  figure  shows  that  the  attaek  begins 
gradually,  at  about  time  20see,  and  inereases  in  an  exponential  manner  until  it  reaehes  its 
maximum  rate.  During  the  initial  stages  of  the  attaek,  the  ineoming  traffie  is  light  and  does  not 
have  a  signilieant  effeet  on  the  probability  of  attack.  At  about  time  58see,  the  attack  begins  to 
inerease  in  severity,  and  the  probability  of  attaek  reaets  quickly.  Based  on  this  data,  we  have  set 
the  “threshold  of  attaek”  at  .3,  at  whieh  point  notifieation  should  be  made  in  order  that 
eountermeasures  be  taken.  It  is  interesting  to  note  that  the  probability  of  attaek  reaehes  1  before 
the  attaek  reaehes  it  full  foree,  leading  the  attaek  and  providing  early  warning.  It  should  also  be 
noted  that  the  typical  duration  of  a  TCP  SYN  flood  is  measured  in  hours,  while  the  proposed 
approaeh  deteeted  the  attaek  in  less  that  40  s.  The  aetual  detection  time  is  based  on  both  the  rate 
of  progress  of  the  attaek  and  the  normal  traffie  patterns  on  the  network  being  proteeted. 

Ping  Flood  Attack 

The  results  of  eluster  analysis  for  Ping  Flood  on  the  experimental  network  are  shown  in 
Figs.  11.1-11.3.  The  informative  eomponents  of  the  network  status  ehosen  by  the  eluster 
analysis  proeedure  are  fraetion  of  IP  eontrol  packets  (X15),  fraetion  of  eontrol  paekets  (xn),  rate 
of  change  in  the  fraction  of  IP  control  packets  (xie),  and  fraetion  of  Large  paekets  (xs).  These 
were  eombined  into  the  informative  subspaees  (xi7,xi5),  (xi6,xi5),  and  (xi5,X5).  Ping  Flood 
attaeks  are  eharaeterized  by  a  large  number  of  IP  eontrol  paekets  (ICMP  eeho  paekets)  flooding 
the  target  network.  These  paekets  are  generally  large. 

From  Figurel  1.1,  it  is  elear  that  the  most  informative  charaeteristies  of  a  Ping  flood 
attack  are  a  large  fraction  of  control  packets,  nearly  all  of  which  are  IP  eontrol  packets, 
eonsistent  with  the  nature  of  the  attaek.  Figure  11.2  shows  that  ping  flood  attaeks  ean  be 
distinguished  from  normal  traffie  that  has  a  high  fraetion  of  IP  eontrol  traffie  based  on  the  rate  of 
ehange  of  IP  eontrol  traffie.  Figure  1 1.3  also  illustrates  that  normal  traffic  can  have  a  wide  range 
of  fraetion  of  IP  eontrol  traffie,  but  Ping  Flood  attaeks  ean  be  distinguished  by  their  high  fraction 
of  large  paekets  in  the  network. 

Figure  12  illustrates  the  applieation  of  the  results  of  the  eluster  analysis  to  the  on-line 
deteetion  of  ping  flood  attaeks  in  the  target  network.  This  figure  shows  that  the  attaek  begins 
gradually,  at  about  time  30s,  and  inereases  in  an  exponential  manner  until  it  reaehes  its 
maximum  rate.  Like  the  TCP  SYN  flood  attaek,  during  the  initial  stages  of  the  attaek,  the 
ineoming  traffie  is  light  and  does  not  have  a  signilieant  effeet  on  the  probability  of  attaek.  At 
about  time  80s,  the  attack  begins  to  inerease  sharply,  and  the  probability  of  attaek  reacts.  Again, 
the  probability  of  attaek  leads  the  attack  itself,  reaching  1  before  the  attaek  reaehes  full  foree. 
Also,  the  attaek  was  deteeted  very  early,  in  about  50  s  in  this  experiment.  Aetual  attaeks  are 
measured  on  a  seale  of  hours. 

It  eould  be  seen  that  an  attaek  warning  message  eould  be  generated  should  the  attack 
probability  value  exeeeds  eertain  threshold.  Otherwise,  applieation  of  the  developed  software 
provides  the  network  operator  some  important  insights. 
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Fraction  of  IP  Control  Packets 


Figure  7-12.  Attack  Rate  and  Attack  Probability 
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VIII.  Experimental  Computer  Network  Testbed 


Overview 

To  conduct  the  experimental  eomponent  of  the  project,  a  computer  network  testbed 
comprising  several  PCs  and  workstations,  custom  and  commercial  software,  and  imitating  hosts 
and  users  is  being  developed.  The  configuration  of  this  network  has  been  chosen  to  be 
representative  of  many  intranet  configurations  currently  in  use.  The  organization  of  the 
hardware  eonfiguration  of  the  experimental  network  is  shown  in  Figure  XI.  It  eonsists  of  a 
small  heterogeneous  loeal  area  network  (LAN)  with  a  connection  to  the  Internet  provided 
through  a  router  (not  shown),  whieh  lies  outside  of  the  administrative  domain  of  the 
experimental  setup.  To  prevent  baekseatter  and  other  malieious  traffic  from  being  unleashed 
onto  the  Internet,  the  experimental  setup  has  only  controlled  and  limited  aceess  to  external 
networks.  A  gateway  sentinel  computer,  which  lies  between  the  network  aecess  point  and  the 
external  router,  acts  as  a  filter  that  removes  malieious  traffic  leaving  the  network,  while  allowing 
malieious  traffic  to  enter  the  network  unrestricted.  The  network  monitoring  system  measures  the 
traffie  before  outgoing  malicious  traffic  is  removed,  thus  allowing  the  measurement  of  malicious 
traffic  in  both  directions  and  providing  the  illusion  of  unrestricted  aeeess  to  the  Internet.  The 
monitoring  and  filtering  functions  have  been  designed  to  be  implemented  in  very  effieient 
software  routines  capable  of  providing  the  required  database  of  network  status  records  without 
impacting  traffic  flow. 


Internet 

Aceess 


LAN  Conneetions 


Figure  8-1.  Experimental  network  eonfiguration 

The  experimental  setup  eonsists  of  a  heterogeneous  switehed  Ethernet  network 
interconnecting  several  Intel  Pentium  and  SUN  UltraSpare -based  computers,  some  of  which 
imitate  elient  workstations  while  others  aet  as  Web  and  file  servers.  The  network  monitoring 
system  consists  of  a  Pentium-based  workstation  with  two  network  interface  cards,  placed  inline 
at  the  primary  incoming  network  connection.  This  system  monitors  network  packets  both 
entering  and  leaving  the  network.  Sinee  the  experimental  network  is  representative  of  modern 
Internet  Protoeol  based  networks,  standard  off-the-shelf  hardware  and  software  components 
have  been  used. 
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To  generate  attaek  traffie,  custom  software  has  been  written  to  emulate  DoS  attacks.  For 
our  initial  investigation,  the  TCP  SYN  attack  and  the  Ping  Flood  attacks  have  been  chosen. 

These  attacks  were  are  the  most  common  DoS  attacks  launched  against  internet  servers.  They 
are  well-known,  well  understood,  and  easily  implemented.  By  using  these  well-know  attack 
scenarios,  the  behavior  of  the  overall  network  can  be  more  easily  monitored.  Other  DoS  attacks 
are  being  studied  and  will  be  tested. 

Traffic  Generation 

Numerous  databases  of  network  status  information  have  been  collected  from  a  live 
network  to  provide  early  data  used  for  experimentation.  Since  the  experimental  network  will  be 
subjected  to  a  number  of  malicious  attacks,  however,  it  is  not  reasonable  to  host  any  real  network 
services,  such  as  Web  and  file  servers,  on  it.  Thus,  the  normal  flow  of  traffic  on  the 
experimental  network  will  be  stimulated  using  a  combination  of  acquired  and  developed  traffic 
models.  These  models  will  emulate  the  normal  operation  of  the  network  and  will  contain 
synthetic  traffic  injected  into  the  network  as  well  as  actual  normal  traffic  generated  locally. 
Synthetic  traffic  models  will  consist  of  actual  measured  packet  traces  gathered  from  a  real 
network.  The  traffic  generator  will  imitate  external  hosts  and  be  responsible  for  the  generation 
of  all  incoming  traffic,  while  machines  inside  the  test  network  will  react  and  respond  to  this 
traffic  (based  on  connection  relationships  and  flows  defined  in  the  trace  file).  To  maintain 
realistic  traffic  patterns,  inter-packet  timing  relationships,  obtained  from  the  traces,  will  be 
maintained  at  the  network  hosts  but  packets  in  transit  will  be  subjected  to  actual  network  delays. 
This  means  that  host  processing  delays  and  “external”  network  delays,  present  in  the  traces,  will 
be  preserved,  while  network  delays  and  inter-packet  timing  relationships  will  vary  depending  on 
the  actual  network  operation.  This  should  provide  a  reasonably  realistic  model  of  normal 
network  traffic.  As  part  of  the  proposed  effort,  this  model  will  be  evaluated  against  measured 
traffic  patterns  to  determine  it’s  accuracy  in  capturing  network  dynamics. 

Once  the  normal  traffic  patterns  are  established,  the  network  will  be  subjected  to  several 
information  attacks.  Using  information  obtained  from  CERT  [20]  and  other  sources  on  current 
trends  and  known  models  of  DoS  attacks,  a  number  of  well-known  DoS  attack  scenarios  will  be 
implemented  and  launched.  If  available,  traces  from  actual  DoS  attacks  will  also  be  used  to 
generate  DoS  attack  models. 

Attack  Generation 

To  generate  attacks  on  the  experimental  network,  custom  attack  programs  have  been 
written  for  the  TCP  SYN  and  Ping  Flood  attacks.  We  have  initially  chosen  these  two  attacks 
because  they  are  very  easy  for  attackers  to  launch,  are  very  effective  at  disabling  the  target,  and 
attack  the  two  most  prevalent  protocols  used  in  the  internet:  Transmission  Control  Protocol  and 
Internet  Protocol. These  programs  simulate  the  occurrence  of  distributed  DoS  attacks.  These 
programs  are  executed  from  the  gateway  sentinel  and  inject  malicious  traffic  into  the 
experimental  network.  The  characteristics  of  the  attack  can  be  varied  to  simulate  a  number  of 
different  attack  scenarios. 

A  TCP  SYN  flood  attack  is  characterized  by  a  large  volume  of  transmission  control 
protocol  (TCP)  connection  initiation  packets  flooded  into  the  target  network.  TCP  is  one  of  the 
main  protocols  used  in  the  Internet.  As  part  of  the  connection  initiation  procedure,  TCP  uses  a 
three-way  handshake.  The  client  requests  a  connection  with  the  server  by  sending  a  TCP  packet 
with  the  synchronize  (SYN)  flag  set.  The  server  normally  responds  by  replying  with  a  packet 
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that  has  both  the  SYN  and  acknowledgement  (ACK)  flags  set,  indicating  that  it  is  requesting  a 
connection  in  the  opposite  direction  and  that  it  is  acknowledging  or  accepting  the  original 
connection  request.  To  complete  the  three-way  handshake,  the  client  responds  with  an  ACK.  In 
a  TCP  SYN  flood  attack,  the  attacker  sends  a  large  volume  of  TCP  packets  with  the  SYN  flag 
set  and  a  random  or  non-existent  host  in  the  return  address  fleld  in  the  packet.  When  the  packet 
is  received  by  the  server,  the  server  reserves  some  memory  for  the  connection  and  replies  with 
the  second  part  of  the  three-way  handshake.  Since  the  return  address  in  the  initial  packet  is  not 
valid,  however,  the  handshaking  sequence  never  completes.  Ultimately,  the  server  runs  out  of 
memory  to  assign  to  new  connections,  preventing  legitimate  users  from  establishing  new 
connections.  In  a  distributed  TCP  SYN  Flood  attack,  the  attack  is  launched  from  many  different 
computers,  increasing  the  volume  of  packets  flowing  into  the  target  network. 

To  simulate  a  distributed  SYN  flood,  a  freely  available  program  called  Neptune  was 
obtained  and  modifled  to  suit  our  needs.  Neptune  is  a  program  that  implements  a  TCP  SYN 
flood  attack  from  a  single  host.  It  periodically  generates  TCP  SYN  packets  and  sends  them  to 
the  target  with  a  return  address  specified  as  an  input  to  the  program.  Neptune  was  not  well 
suited  for  simulation  of  a  distributed  attack,  which  is  generally  implemented  by  controlling 
many  slave  computers  from  a  master.  The  master  sends  a  control  to  the  slaves,  indicating  when 
the  attack  should  begin.  Since  the  slaves  are  not  time  synchronized  and  will  not  receive  this 
command  simultaneously,  the  attack  will  generally  start  off  slowly  and  build  in  intensity  as  more 
and  more  slaves  join  in.  To  simulate  a  distributed  attack,  the  timing  characteristics  of  Neptune 
were  modified.  Packets  are  first  sent  at  a  predefined  rate  and  the  rate  of  attack  is  gradually 
increased  as  the  attack  progresses.  We  have  implemented  a  number  of  methods  for  increasing 
the  rate  of  attack,  including  linear,  exponential,  and  random  growth.  Other  major  modifications 
were  made  to  the  program  to  suit  our  experimental  environment,  including  the  ability  to  tag 
attack  packets  and  methods  for  preventing  the  reply  packets  generated  at  the  target  computer 
from  leaving  the  test  network.  Our  TCP  SYN  attack  program  allows  us  to  alter  the  timing 
characteristics  of  the  attack  scenario,  which  allows  training  over  a  number  of  different  scenarios 
as  well  as  testing  the  attack  detection  software  against  previously  unknown  attack  scenarios. 

A  Ping  Flood  attack  exploits  characteristics  of  the  Internet  Protocol  (IP),  the  protocol  that 
transfers  packets  across  the  Internet.  A  subset  of  IP,  the  Internet  Control  Message  Protocol 
(ICMP),  includes  an  echo  request  that  can  be  used  to  determine  if  a  computer’s  IP  software  is 
functioning  correctly.  The  client  sends  a  packet  requesting  an  ICMP  echo  and  the  server  replies 
by  returning  the  packet  back  to  the  client.  By  sending  many  such  packets  to  a  computer,  and 
attacker  can  consume  the  bandwidth  of  the  links  connecting  that  computer  to  the  network, 
preventing  legitimate  traffic  from  reaching  the  target.  Another  feature  of  IP  that  is  often 
exploited  in  these  attacks  is  fragmentation.  When  a  very  large  packet  is  transmitted  across  the 
Internet,  it  often  exceeds  the  maximum  packet  size  supported  by  the  intermediate  network  links 
over  which  it  travels.  In  such  cases,  IP  breaks  the  original  packet  into  fragments,  which  are 
reassembled  at  the  destination.  By  using  the  maximum  IP  packet  size  during  a  ping  flood 
attack,  the  attacker  can  increase  the  volume  of  traffic  to  the  target  as  well  as  consume  resources 
at  the  target  required  to  reassemble  the  packet. 

A  program  has  been  written  in  C  to  simulate  a  distributed  Ping  Flood  attack.  This  program 
opens  a  raw  socket,  which  allows  arbitrarily  formed  packets  to  be  injected  into  the  network.  The 
program  forms  ICMP  echo  packets  destined  for  the  target  network  with  pseudo  random  (or  non¬ 
existent)  source  addresses.  The  program  breaks  large  packets  into  fragments,  which  are 
subsequently  put  onto  the  network  to  be  reassembled  at  the  target.  To  simulate  a  distributed 
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attack,  the  time  between  packet  injeetions  ean  be  varied  using  a  number  of  approaches,  similar  to 
those  used  in  the  TCP  SYN  attaek  software  deseribed  above.  Paekets  ean  be  tagged  for  training 
purposes. 

Network  Monitoring  System 

The  network  monitoring  system  consists  of  a  Linux -based  workstation  running  a  custom 
packet-sniffing  program  designed  to  eapture  relevant  network  status  information.  This  program 
was  written  in  C++  using  the  widely  available  PCAP  paeket  eapture  library.  With  the  network 
interfaee  in  promiscuous  mode,  all  network  packets  are  inspeeted  and  passed  to  a  parsing 
funetion  that  analyses  paeket  headers  to  compute  relevant  sensor  statistics.  Packets  statistics  are 
eomputed  based  on  paeket  type  and  subtype,  allowing  eolleetion  of  generalized  network  status 
as  well  as  protoeol  speeffie  information.  The  sensor  periodieally  adds,  at  predefined  intervals,  a 
network  status  vector  to  a  database.  The  sensor  uses  tags,  plaeed  in  packets  by  the  attaek 
generation  software,  to  classify  each  vector  as  attack  or  normal. 

Since  the  experimental  setup  uses  TCP/IP  protoeols,  the  state  spaee  of  the  network  has 
been  defined  in  terms  speeifie  to  these  protoeols.  Some  state  variables  represent  measured 
quantities  of  the  aggregate  network  traffie,  while  others  quantify  individual  eomponents  of 
network  traffie,  using  a  variety  of  deeompositions.  Changes  in  flow  eomposition  may  provide 
an  indieation  of  irregular  paeket  flows  that  eould  be  a  sign  that  an  attaek  is  in  progress. 
Flooding-based  DoS  attaeks,  for  example,  are  generally  charaeterized  by  a  large  pereentage  of 
maximum-sized  paekets  flowing  into  the  network.  These  flow  eharacteristies  will  be 
periodieally  written  to  the  database,  along  with  the  rate  of  ehange  of  eaeh.  Some  of  the  flow 
eharaeteristies  that  will  be  monitored  are  deseribed  below. 

The  total  instantaneous  rate  of  the  flow,  in  both  bytes  per  seeond  and  paekets  per  seeond, 
will  be  measured  as  well  as  the  rates  of  ehange  of  the  flow.  The  pereentage  of  ineoming  and 
outgoing  traffic  will  be  calculated,  and  these  will  be  further  divided  into  pereentages  of  small, 
medium,  and  large  paekets.  When  messages  are  too  large  for  network  packets,  the  message  is 
fragmented  and  transmitted  into  several  paekets.  Some  attaeks,  sueh  as  Ping  Flood,  may  be 
characterized  by  a  large  number  of  fragmented  messages.  The  ratio  of  fragmented  traffie  to 
unfragmented  traffie  is  measured,  as  well  as  the  rate  of  ehange  of  this  ratio. 

Information  attaeks  usually  attaek  a  speeifie  network  protoeol.  The  aggregate  network 
traffic  is  decomposed  into  streams,  identified  by  network  protoeol.  The  pereentages  of  paekets 
tagged  for  a  speeifie  protocol,  such  as  TCP,  ICMP,  IP,  and  UDP,  are  measured,  as  well  as  the 
derivatives  of  these  rates. 

For  well-known  protoeol-speeific  attaeks,  a  large  oeeurrenee  of  eertain  protoeol  eommands 
or  messages  may  indieate  the  presenee  of  malieious  aetivity.  Protoeol  speeifie  parameters  to  be 
measured  inelude:  the  average  rate  of  oeeurrenee  of  TCP  SYNs,  TCP  ACKs,  and  ICMP  ECHOs 
(pings).  The  instantaneous  rate  of  ehange  of  these  quantities  is  also  monitored. 

Deteetion  of  a  DoS  attaek  at  an  earliest  possible  stage  of  its  exeeution  requires  analysis  of 
an  appropriate  quantitative  representation  of  network  status.  In  DoS  attaeks,  single  network 
paekets  do  not  operate  in  isolation.  An  attaek  eonsists  of  one  or  more  streams  of  packets, 
aggregating  into  a  flow  of  malieious  traffie  aimed  at  the  target.  Identifieation  of  individual 
streams  that  are  part  of  an  attaek  requires  monitoring  the  state  of  paekets  in  the  network.  Thus, 
attaek  deteetion  requires  both  the  observation  of  individual  paekets  in  the  network  as  well  as  the 
eombined  effeet  of  these  paekets  on  network  state. 
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Table  1  shows  the  fields  of  individual  paeket  headers  that  are  monitored  with  the  aim  of 
differentiating  legitimate  packet  streams  from  those  that  are  part  of  an  attack.  The  encoded  bits 
of  these  fields  can  be  treated  as  numerical  values  for  purposes  of  numerical  analysis.  For  a 
specific  attack  scenario,  some  parameters  are  likely  to  be  more  important  than  others.  In  some 
DoS  attack  scenarios,  a  specific  network  protocol  is  targeted.  The  protocol,  port,  and  type  fields 
contained  in  Internet  packet  headers  provide  information  on  the  protocol  service  that  the  stream 
of  packets  is  using.  The  sender  of  the  packet  is  identified  by  the  source  address.  Although  the 
source  address  may  be  falsified  to  prevent  identification  of  the  attacker,  some  attack  scenarios 
utilize  a  large  number  of  unconcealed  computers  to  flood  the  target,  allowing  separation  of 
malicious  traffic  from  innocuous  traffic.  The  packet  length  and  flow  control  information  may 
provide  an  indication  of  irregular  packet  flows  that  could  be  a  sign  that  an  attack  is  in  progress. 


Table  8-1 .  Monitored  Packet  Parameters 


Parameter 

Type 

Parameters 

Source 

Justification 

Target 

Protocol 

Protocol 

Service 

Type 

IP  -  protocol  field 

TCP  -  port  fields 

TCP  -  flags  field 

Some  DoS  attacks  target  a 
specific  protocol. 

Sender 

Source  Address 

IP  -  source  IP  address 

Attacks  may  be  from 
unconcealed  hosts. 

Flow 

Information 

Flow  Control 
Packet  Length 

TCP  -  window  size  field 
IP  -  packet  length  field 

Abnormal  traffic  patterns 
may  be  indicative  of  an 
attack. 

Although  individual  flow  parameters  can  be  used  to  identify  those  packets  that  are  part  of 
an  attack,  it  is  necessary  to  monitor  the  status  of  the  network  in  order  to  detect  that  an  attack  has 
begun.  This  includes  parameters  such  as  traffic  volume  and  the  number  of  certain  types  of 
connections  that  have  been  established  in  the  network.  In  some  attacks,  the  rate  of  change  of 
these  parameters  may  provide  the  earliest  possible  indication  that  an  attack  has  begun.  Some 
network  status  parameters  that  may  be  important  to  identifying  a  DoS  attack  are  listed  in  Table  2. 

An  increase  in  the  volume  of  traffic  may  indicate  that  a  flooding  type  DoS  attack  has 
been  launched.  The  volume  of  traffic  (in  bytes/s)  and  the  packet  rate  in  (packets/s)  characterize 
the  volume  of  traffic.  Together,  these  two  parameters  also  provide  an  indication  of  the  average 
number  of  bytes  per  packet,  which  may  be  used  as  an  indicator  of  abnormal  traffic  patterns. 
Flooding  attacks  aimed  at  a  specific  protocol  are  usually  characterized  by  an  inordinate  amount 
of  traffic  using  that  protocol.  The  number  of  IP  datagrams,  ICMP  messages,  TCP  segments,  and 
UDP  datagrams  are  monitored  to  detect  such  intrusions. 

Some  DoS  attacks  may  establish  a  large  number  of  connections  the  target  network  to 
exhaust  the  total  number  of  connections.  Others  prevent  legitimate  access  by  leaving 
connections  in  an  unusable  state.  Thus,  the  total  number  of  connections  is  monitored,  as  well  as 
those  connections  that  are  half-open  (have  only  been  partially  established)  or  half-closed  (are  not 
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in  use,  but  have  not  been  properly  shut  down).  Finally,  an  attack  might  be  indicated  by  an 
inordinate  number  of  connection  control  operations.  These  include  requests  to  reset  connections 
as  well  as  requests  for  retransmission  of  lost  data. 

Table  3  lists  the  components  of  the  vectors  that  are  produced  by  the  network  monitoring 
system.  As  part  of  this  research,  we  are  studying  which  characteristics  of  network  traffic  are 
most  informative  to  permit  detection  of  the  widest  range  of  DoS  attacks  with  the  smallest  subset 
of  components  in  the  network  status  vector.  Thus,  components  of  the  sensor  vector  are 
continually  being  updated. 


Table  8-2.  Aggregate  Network  State 


Parameter  Type 

Parameter 

Justification 

Traffic  Volume 

Volume  (bytes/s) 

Rate  (packets/s) 

Flooding  type  attacks  may  exhibit  unusual 
volume  or  inordinate  packet  rate. 

Protocol  Usage 

ICMP  Packet  Rate 

IP  Packet  Rate 

TCP  Segments  Rate 
UDP  Datagram  Rate 

Protocol  flood  attacks  may  be  characterized 
by  high  packet  rates  for  the  protocol. 

Connection 

Status 

Total  Connections 
Total  half-open 

Total  half-closed 

Some  DoS  attacks  open  a  large  number  of 
connections,  or  leave  many  connections  in  a 
half-open  state. 

Connection 

Characteristics 

Resets  Sent 

Resets  Received 
Retransmissions 

Irregular  traffic  patterns  may  be  indicated  by 
large  number  retransmissions  or  resets. 

Table  8-3,  Components  of  network  status  vector  produced  by  network  monitoring  system. 


Variable 

Description 

Xl 

volume  of  the  flow,  in  bytes  per  second 

X2 

volume  of  the  flow  rate  of  change 

X3 

average  length  of  a  packet 

X4 

average  length  of  a  packet  rate  of  change 

X5 

volume  of  the  flow,  TCP  packets  per  second 

X6 

volume  of  the  flow,  TCP  packets,  rate  of  change 

x? 

volume  of  the  flow,  ICMP  packets  per  second 

X8 

volume  of  the  flow,  ICMP  packets,  rate  of  change 

X9 

volume  of  the  flow,  IP  packets  per  second 

XlO 

volume  of  the  flow,  IP  packets,  rate  of  change 
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Xll 

volume  of  the  flow,  UDP  packets  per  second 

Xl2 

volume  of  the  flow,  UDP  packets,  rate  of  change 

Xl3 

percentage  of  large  packets  in  the  flow 

Xl4 

percentage  of  large  packets  in  the  flow,  rate  of  change 

Xl5 

percentage  of  medium  packets  in  the  flow 

Xl6 

percentage  of  medium  packets  in  the  flow,  rate  of  change 

Xl7 

percentage  of  small  packets  in  the  flow 

Xl8 

percentage  of  small  packets  in  the  flow,  rate  of  change 

Xl9 

average  rate  of  occurrence  of  TCP  SYNs 

X20 

time  derivative  of  the  average  rate  of  occurrence  of  TCP  SYNs 

X21 

average  rate  of  occurrence  of  TCP  ACKs 

X22 

time  derivative  of  the  average  rate  of  occurrence  of  TCP  ACKs 

X23 

average  rate  of  occurrence  of  ICMP  ECHOs 

X24 

time  derivative  of  the  average  rate  of  occurrence  of  ICMP  ECHOs 

Q  =  ”A” 

indication  of  a  known  attack 

Q  =  “B” 

normal  operation  of  the  network 

Real-Time  Attack  Detection  Software 

The  real-time  attaek  deteetion  software  is  similar  to  the  network  monitoring  software 
described  above.  This  program  is  written  in  C++  using  the  PCAP  packet  capture  library.  With 
the  network  interface  in  promiscuous  mode,  all  network  packets  are  inspected  and  passed  to  the 
same  parsing  function,  which  computes  relevant  sensor  statistics  based  on  an  analysis  of  packet 
headers.  Instead  of  periodically  adding  the  network  status  vectors  to  a  database  at  predefined 
intervals,  however,  the  vectors  a  reevaluated  against  the  ellipse-based  classification  rules  learned 
by  the  clustering  algorithms.  Based  on  the  classification  of  each  vector,  an  updated  probability 
of  attack  is  computed  and  output  to  the  computer  console. 

To  evaluate  the  proposed  approach  to  attack  detection  in  computer  networks,  we  have 
chosen  the  two  most  common  types  of  denial  of  service  attacks  deployed  as  of  the  writing  of  this 
paper:  TCP  SYN  attack  and  Ping  Flood  attack.  A  software  implementation  of  each  attack  was 
written  in  C++  and  launched  from  computers  outside  of  the  experimental  network.  Attack 
packets  were  tagged  (utilizing  the  unused  type  of  service  field  in  the  IP  packet  header)  for 
classification  by  the  network  monitoring  station. 

For  each  attack  type,  a  database  of  network  status  vectors  was  collected  over  a  24  hour 
period  at  1  second  intervals.  During  this  24  hour  period,  two  attacks  were  launched  at  arbitrary 
times.  Thus,  the  database  for  each  attack  contained  vectors  representing  both  the  normal  status 
of  the  network  and  the  status  of  the  network  during  an  attack. 

The  experimental  results  obtained  using  the  network  testbed  are  shown  in  the 
previous  section  of  this  Report. 
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IX.  Further  Research 


The  biological  immune  system  is  very  effective  in  protecting  a  very  complex  organism 
from  attacking  organisms  and  dangerous  proteins.  It  is  automatic  and  requires  no  “user 
intervention”.  Extending  functionality  of  the  immune  system  to  computer  networks  can 
potentially  provide  for  a  complete  defense  mechanism  against  malicious  network  traffic  and 
computer  code.  The  incidental  similarities  between  both  systems  establish  a  solid  foundation 
from  which  to  build  a  more  comprehensive  network  defense  mechanism.  The  fundamental 
differences  between  the  two  is  the  lack  of  an  “active”  component  in  the  computer  system  and 
coordination  between  existing  defense  mechanisms  to  assist  in  limiting  or  altogether  preventing 
an  attack. 

It  has  been  shown  that  an  excessively  long  delay  in  the  detection  of  the  attack  and  limited 
system  and  network  resources  are  factors  that  can  lead  to  network  fatality.  It  is  apparent  that  the 
longer  the  delay  of  detection,  the  more  resources  are  required  to  defend  against  the  attack  or  that 
attempts  to  thwart  an  attack  are  unsuccessful.  Since  the  DoS  attack  specifically  attacks  network 
resources,  detection  mechanisms  that  rely  on  previous  known  forms  of  attack  or  long-term 
detection  are  not  suitable. 

The  following  issues  are  to  be  investigated  under  the  continuation  of  the  BASIS  project. 

Establishment  of  accurate  equations  of  attack/response  dynamics  in  computer 
networks.  As  it  was  said  earlier,  equations  representing  the  dynamics  of  the  immune  response 
may  not  be  accurate  due  to  poor  knowledge  of  their  parameters.  Similar  parameters  representing 
a  computer  network  and  particular  types  of  information  attacks  could  be  assessed  with  much 
greater  accuracy.  When  established,  these  equations  can  be  used  for  the  definition  of  control  laws 
to  be  implemented  in  computer  security  systems. 

Distribution  of  Load.  It  has  been  shown  that  the  effectiveness  of  thwarting  an  attack  is 
determined  by  both  the  delay  in  the  detection  and  the  resource  utilization  of  the  system(s)  under 
attack.  Since  modern  network  architectures  are  hierarchical,  a  single  mechanism  can  be 
developed  and  deployed  across  a  wide  range  of  domains.  Architecturally,  a  common  model  that 
captures  the  essential  characteristics  of  networked  computer  systems  could  be  established.  Once 
modeled,  a  system  of  agents,  which  employ  not  only  the  networked  computer  systems,  but  also 
the  networking  hardware,  can  be  developed  to  distribute  the  load  for  attack  detection  and 
suppression. 

Self  verses  Non-Self.  One  of  the  hallmarks  of  the  biological  immune  system  is  its  ability 
to  determine  self  from  non-self  While,  with  computer  software,  there  is  a  determining  self/non¬ 
self  aspect,  with  network  traffic  this  determination  is  not  so  easy.  Here  the  basic  determination  is 
malicious/non-malicious,  or  more  generically  normal/abnormal.  There  has  been  some  research 
into  this  area,  but  none  has  yet  been  able  to  accomplish  reliable  and  timely  determination  of 
malicious.  We  intend  to  continue  this  research,  developing  the  established  results  further. 

Failsafe  system  design.  The  designed  defense  mechanism  should  employ  some 
functional  redundancy.  The  biological  immune  system  has  many  different  levels  of  protection; 
each  independently  can  either  delay  or  prevent  an  attack  from  an  antigen.  Many  computer 
defenses  are  singular,  with  only  a  single  mechanism  employed  for  each  functional  protection. 
This  not  only  makes  computer  systems  vulnerable  to  attack,  the  actual  software  employed  can 
also  be  assaulted  thereby  crippling  or  disabling  a  system’s  defenses.  We  intend  to  develop 
practical,  “biologically  inspired”  recommendations  to  computer  network  designers. 
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It  was  stated  that  one  of  the  goals  of  the  BASIS  projeet  is  the  eross-pollination  between 
immunology  and  eomputer  engineering.  The  following  proposal  recently  funded  by  the  AFOSR 
has  been  directly  inspired  by  the  BASIS  research: 

Recognition  of  Computer  Viruses  by  Detecting  their  “Gene  of  Self-Replication”  A 
high  percentage  of  information  attacks  are  performed  by  developing  and  distributing  computer 
viruses  over  the  Internet.  Typically,  the  file  containing  a  computer  virus  is  transmitted  over  the 
Internet  to  the  user’s  computer  and  subjected  to  decoding.  Then,  the  interpreter  generates  the 
sequence  of  macro  commands  of  the  virus  that  are  executed  by  the  operating  system  thus 
resulting  in  the  implementation  of  all  destructive  functions  of  the  virus.  Self-replication  is  a 
common  feature  of  most  computer  viruses,  and  is  quite  uncommon  for  a  legitimate  code.  As  with 
any  function  of  a  computer  code,  self-replication  is  programmed,  i.e.  the  sequence  of  macro 
commands  resulting  in  the  self-replication  is  present  in  the  computer  code  of  the  virus.  It  is 
known  that  the  function  of  self-replication  could  be  implemented  in  many  ways,  and  therefore, 
there  is  more  than  one  sequence  of  macro  commands  that  would  perform  this  task.  Moreover,  it 
is  expected  that  such  a  sequence  is  being  dispersed  within  the  entire  body  of  the  code  and  cannot 
be  detected  as  an  explicit  pattern. 

We  are  interested  in  the  development  of  a  methodology  facilitating  the  detection  of  the 
“gene  of  self-replication”  in  computer  codes.  Unlike  the  existing  anti-virus  software,  this 
methodology  has  the  potential  for  providing  the  protection  from  previously  unknown  viruses. 

The  feasibility  of  this  task  is  justified  by  the  following  considerations: 

-  while  the  self-replication  could  be  achieved  in  a  number  of  different  ways,  this  number 
is  definitely  finite 

-  by  its  nature,  detection  of  one  of  the  sequences  of  macro  commands  of  interest  in  a 
large-size  computer  code  is  close  to  the  problems  of  cryptology  that  can  offer  a  number  of 
successful  techniques 

-  the  problem  has  a  straight-forward  analogy,  the  detection  of  antigens  by  the  immune 
system,  and  the  detection  mechanism  could  be  adopted  and  replicated 

We  propose  to  conduct  a  feasibility  study  comprising  the  following  tasks: 

1.  Establish  a  not  necessarily  complete  set  of  alternative  computer  instructions 
implementing  the  task  of  self-replication.  The  resultant  sequences  of  macro  commands  will  be 
subjected  to  syntactic  analyses  leading  to  the  most  simplified  and  generalized  description  of  the 
“gene  of  self-replication” 

2.  Investigate  the  self-replication  techniques  utilized  in  a  number  of  known  typical 
computer  viruses 

3.  Develop,  implement  in  software,  and  evaluate  the  efficiency  of  a  number  of 
techniques,  adopted  from  cryptology  and  syntactic  analysis,  capable  of  detecting  the  required 
“word”  in  a  randomly  generated  character  sequence 

4.  Subject  known  typical  computer  viruses  and  legitimate  software  to  syntactic/ 
cryptographic  analyses  aimed  at  the  detection  of  the  sequences  responsible  for  the  self¬ 
replication  task.  Assess  performance  of  particular  techniques  and  their  potential  for  the 
development  of  on-line  anti-virus  software 

5.  Investigate  the  use  of  peptide-based  antigen  detection  mechanism  of  the  immune 
system  and  establish  its  formal  description.  Assess  its  potential  for  the  development  of  on-line 
anti-virus  software 
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